Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:27 PM
Connect Directly

Microsoft: How the Threat Landscape Will Shift This Year

Exclusive interview with Windows Security lead on how 2017 was a "return to retro" security threats and 2018 will bring increasingly targeted, advanced, and dangerous cyberattacks.

Unlike security professionals, who have stressed over digital threats for years, most average consumers didn't recognize the importance of security until 2017.

"Grandmothers and grandfathers and moms and dads are now aware of cyber intrusions," says David Weston, principal security group manager for the Windows Enterprise and Security team at Microsoft. "It's amazing, but it also means we have a lot of work to do."

In an exclusive interview with Dark Reading this week, Weston shared insight on the threats and trends were top of mind for Microsoft last year, and what he's worried about in the new year.

2017: Ransomware, targeted attacks stand out  

Massive cyberattacks WannaCry and NotPetya, which hit major global brands, drove security to the forefront of consumers' minds. Weston says the two outbreaks topped Microsoft's list last year. Both used a ransomware worm, which he calls "a hallmark" of 2017 and describes as a sort of "return to retro" that caught the security community off guard.

From a technical perspective, use of a worm on both occasions was "particularly interesting." During WannaCry, the Microsoft team "learned a ton about where we need to keep investing," Weston adds. "Bug classes some of us thought were extinct will be key going forward."

WannaCry symbolizes a level of destruction that Weston predicts will grow as cybercriminals' goals shift. This doesn't necessarily mean more targeted attacks, but it does mean threats will become broader and more advanced as threat actors aim to destroy networks.

"Originally attackers focused on stealth," he says. "They wanted to exfiltrate information while staying quiet … what you're seeing with WannaCry, they're potentially using that to send a statement and do more destructive things. It's a maturity and evolution of targeted attacks."

Both attacks used an interesting strategy that Weston says has, so far, been overshadowed.

"They're automating techniques, which you'd see from a red team or adversary, into their malware or implants," he explains. "You're in a situation where, after it gets a foothold, the piece of malware is operating like a full-on red team. That's actually a big challenge."

In NotPetya, for example, once the threat landed on a machine it would spread, looking for places to move laterally and credentials to steal. It's part of evolving threat sophistication, says Weston. Hacking platforms like Metasploit and PowerSploit have research to support red teams, but much of that research is accessible to threat actors who are "using it to great effect," he adds.

"A smart adversary will take advantage of intelligence and use it," says Weston. "They're trying to impact as much of the network as possible, and per-incident impact and cost will go way up. You can't just defend a single machine, you have to look at it holistically, at a network level."

2018: Rise of supply chain, cryptocurrency attacks

Weston says supply chain attacks are "of grave concern" this year as criminal groups shift their strategy.

"We're seeing some of the attack groups that used to use zero-days, moving away from watering-hole types of attacks to compromising large websites that might distribute common utility software and putting their implant in there," he explains.

It's a growing technique among attack groups: Infect as many people as possible then sift through the victims to find specific targets. Attackers are hitting supply chain software because it's easy to hide within a process that vendors will associate with something good. In some cases, supply chain software can bypass app control settings and cause problems for defenders.

Take Operation WilySupply, where an attacker was using a compromised update mechanism for a third-party editing tool to deliver malware. While it didn't use a zero-day, the attack abused the trust relationship involved with software supply chains. Microsoft discovered the attack attempt early last year.

Defending against supply chain attacks will be tough because each software vendor has a different distribution mechanism and signing infrastructure, says Weston. In the past, companies could put software on a "trusted list" if it had a history of being secure. However, he says, businesses have to realize anything can change from good to bad at any time.

"Getting your software sources from centralized locations where possible is one of the practical means for protecting against supply chain attacks," Weston adds.

Cryptocurrency will be a growing security issue as more people adopt it. Attackers will target machines to cannibalize their resources and focus on cryptocurrencies, which are getting harder to mine in legitimate ways. Wallets will also become popular among hackers.

"Targeting wallets will become more popular as more people dabble in investing in bitcoins and accessing them," he explains. "If we get to the point where everyone has a wallet on their machine, there's an opportunity for cybercriminals on every machine."

Weston says Microsoft is exploring ways to use analytics in Windows and Azure to determine when a machine is using resources in ways it previously hasn't. Did you take up a lot of storage space overnight? Does this connection come from a trusted IP? Is it being used for spam? Machine learning, he says, can help establish a baseline of what the PC uses and train on it.

He points out sophisticated threat actors are using similar technologies to identify anomalous behaviors. "They can use the same thing to find gaps in our defenses. They can hire capable engineers, they can hire clouds that scale to their needs." As attackers build their strategies, defenders must do the same.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...