Microsoft: How the Threat Landscape Will Shift This Year

Exclusive interview with Windows Security lead on how 2017 was a "return to retro" security threats and 2018 will bring increasingly targeted, advanced, and dangerous cyberattacks.

Kelly Sheridan, Former Senior Editor, Dark Reading

January 9, 2018

5 Min Read

Unlike security professionals, who have stressed over digital threats for years, most average consumers didn't recognize the importance of security until 2017.

"Grandmothers and grandfathers and moms and dads are now aware of cyber intrusions," says David Weston, principal security group manager for the Windows Enterprise and Security team at Microsoft. "It's amazing, but it also means we have a lot of work to do."

In an exclusive interview with Dark Reading this week, Weston shared insight on the threats and trends were top of mind for Microsoft last year, and what he's worried about in the new year.

2017: Ransomware, targeted attacks stand out  

Massive cyberattacks WannaCry and NotPetya, which hit major global brands, drove security to the forefront of consumers' minds. Weston says the two outbreaks topped Microsoft's list last year. Both used a ransomware worm, which he calls "a hallmark" of 2017 and describes as a sort of "return to retro" that caught the security community off guard.

From a technical perspective, use of a worm on both occasions was "particularly interesting." During WannaCry, the Microsoft team "learned a ton about where we need to keep investing," Weston adds. "Bug classes some of us thought were extinct will be key going forward."

WannaCry symbolizes a level of destruction that Weston predicts will grow as cybercriminals' goals shift. This doesn't necessarily mean more targeted attacks, but it does mean threats will become broader and more advanced as threat actors aim to destroy networks.

"Originally attackers focused on stealth," he says. "They wanted to exfiltrate information while staying quiet … what you're seeing with WannaCry, they're potentially using that to send a statement and do more destructive things. It's a maturity and evolution of targeted attacks."

Both attacks used an interesting strategy that Weston says has, so far, been overshadowed.

"They're automating techniques, which you'd see from a red team or adversary, into their malware or implants," he explains. "You're in a situation where, after it gets a foothold, the piece of malware is operating like a full-on red team. That's actually a big challenge."

In NotPetya, for example, once the threat landed on a machine it would spread, looking for places to move laterally and credentials to steal. It's part of evolving threat sophistication, says Weston. Hacking platforms like Metasploit and PowerSploit have research to support red teams, but much of that research is accessible to threat actors who are "using it to great effect," he adds.

"A smart adversary will take advantage of intelligence and use it," says Weston. "They're trying to impact as much of the network as possible, and per-incident impact and cost will go way up. You can't just defend a single machine, you have to look at it holistically, at a network level."

2018: Rise of supply chain, cryptocurrency attacks

Weston says supply chain attacks are "of grave concern" this year as criminal groups shift their strategy.

"We're seeing some of the attack groups that used to use zero-days, moving away from watering-hole types of attacks to compromising large websites that might distribute common utility software and putting their implant in there," he explains.

It's a growing technique among attack groups: Infect as many people as possible then sift through the victims to find specific targets. Attackers are hitting supply chain software because it's easy to hide within a process that vendors will associate with something good. In some cases, supply chain software can bypass app control settings and cause problems for defenders.

Take Operation WilySupply, where an attacker was using a compromised update mechanism for a third-party editing tool to deliver malware. While it didn't use a zero-day, the attack abused the trust relationship involved with software supply chains. Microsoft discovered the attack attempt early last year.

Defending against supply chain attacks will be tough because each software vendor has a different distribution mechanism and signing infrastructure, says Weston. In the past, companies could put software on a "trusted list" if it had a history of being secure. However, he says, businesses have to realize anything can change from good to bad at any time.

"Getting your software sources from centralized locations where possible is one of the practical means for protecting against supply chain attacks," Weston adds.

Cryptocurrency will be a growing security issue as more people adopt it. Attackers will target machines to cannibalize their resources and focus on cryptocurrencies, which are getting harder to mine in legitimate ways. Wallets will also become popular among hackers.

"Targeting wallets will become more popular as more people dabble in investing in bitcoins and accessing them," he explains. "If we get to the point where everyone has a wallet on their machine, there's an opportunity for cybercriminals on every machine."

Weston says Microsoft is exploring ways to use analytics in Windows and Azure to determine when a machine is using resources in ways it previously hasn't. Did you take up a lot of storage space overnight? Does this connection come from a trusted IP? Is it being used for spam? Machine learning, he says, can help establish a baseline of what the PC uses and train on it.

He points out sophisticated threat actors are using similar technologies to identify anomalous behaviors. "They can use the same thing to find gaps in our defenses. They can hire capable engineers, they can hire clouds that scale to their needs." As attackers build their strategies, defenders must do the same.

Related Content:

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights