Endpoint

1/9/2018
03:27 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail

Microsoft: How the Threat Landscape Will Shift This Year

Exclusive interview with Windows Security lead on how 2017 was a "return to retro" security threats and 2018 will bring increasingly targeted, advanced, and dangerous cyberattacks.



Unlike security professionals, who have stressed over digital threats for years, most average consumers didn't recognize the importance of security until 2017.

"Grandmothers and grandfathers and moms and dads are now aware of cyber intrusions," says David Weston, principal security group manager for the Windows Enterprise and Security team at Microsoft. "It's amazing, but it also means we have a lot of work to do."

In an exclusive interview with Dark Reading this week, Weston shared insight on the threats and trends were top of mind for Microsoft last year, and what he's worried about in the new year.

2017: Ransomware, targeted attacks stand out  

Massive cyberattacks WannaCry and NotPetya, which hit major global brands, drove security to the forefront of consumers' minds. Weston says the two outbreaks topped Microsoft's list last year. Both used a ransomware worm, which he calls "a hallmark" of 2017 and describes as a sort of "return to retro" that caught the security community off guard.

From a technical perspective, use of a worm on both occasions was "particularly interesting." During WannaCry, the Microsoft team "learned a ton about where we need to keep investing," Weston adds. "Bug classes some of us thought were extinct will be key going forward."

WannaCry symbolizes a level of destruction that Weston predicts will grow as cybercriminals' goals shift. This doesn't necessarily mean more targeted attacks, but it does mean threats will become broader and more advanced as threat actors aim to destroy networks.

"Originally attackers focused on stealth," he says. "They wanted to exfiltrate information while staying quiet … what you're seeing with WannaCry, they're potentially using that to send a statement and do more destructive things. It's a maturity and evolution of targeted attacks."

Both attacks used an interesting strategy that Weston says has, so far, been overshadowed.

"They're automating techniques, which you'd see from a red team or adversary, into their malware or implants," he explains. "You're in a situation where, after it gets a foothold, the piece of malware is operating like a full-on red team. That's actually a big challenge."

In NotPetya, for example, once the threat landed on a machine it would spread, looking for places to move laterally and credentials to steal. It's part of evolving threat sophistication, says Weston. Hacking platforms like Metasploit and PowerSploit have research to support red teams, but much of that research is accessible to threat actors who are "using it to great effect," he adds.

"A smart adversary will take advantage of intelligence and use it," says Weston. "They're trying to impact as much of the network as possible, and per-incident impact and cost will go way up. You can't just defend a single machine, you have to look at it holistically, at a network level."

2018: Rise of supply chain, cryptocurrency attacks

Weston says supply chain attacks are "of grave concern" this year as criminal groups shift their strategy.

"We're seeing some of the attack groups that used to use zero-days, moving away from watering-hole types of attacks to compromising large websites that might distribute common utility software and putting their implant in there," he explains.

It's a growing technique among attack groups: Infect as many people as possible then sift through the victims to find specific targets. Attackers are hitting supply chain software because it's easy to hide within a process that vendors will associate with something good. In some cases, supply chain software can bypass app control settings and cause problems for defenders.

Take Operation WilySupply, where an attacker was using a compromised update mechanism for a third-party editing tool to deliver malware. While it didn't use a zero-day, the attack abused the trust relationship involved with software supply chains. Microsoft discovered the attack attempt early last year.

Defending against supply chain attacks will be tough because each software vendor has a different distribution mechanism and signing infrastructure, says Weston. In the past, companies could put software on a "trusted list" if it had a history of being secure. However, he says, businesses have to realize anything can change from good to bad at any time.

"Getting your software sources from centralized locations where possible is one of the practical means for protecting against supply chain attacks," Weston adds.

Cryptocurrency will be a growing security issue as more people adopt it. Attackers will target machines to cannibalize their resources and focus on cryptocurrencies, which are getting harder to mine in legitimate ways. Wallets will also become popular among hackers.

"Targeting wallets will become more popular as more people dabble in investing in bitcoins and accessing them," he explains. "If we get to the point where everyone has a wallet on their machine, there's an opportunity for cybercriminals on every machine."

Weston says Microsoft is exploring ways to use analytics in Windows and Azure to determine when a machine is using resources in ways it previously hasn't. Did you take up a lot of storage space overnight? Does this connection come from a trusted IP? Is it being used for spam? Machine learning, he says, can help establish a baseline of what the PC uses and train on it.

He points out sophisticated threat actors are using similar technologies to identify anomalous behaviors. "They can use the same thing to find gaps in our defenses. They can hire capable engineers, they can hire clouds that scale to their needs." As attackers build their strategies, defenders must do the same.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...
CVE-2018-11239
PUBLISHED: 2018-05-19
An integer overflow in the _transfer function of a smart contract implementation for Hexagon (HXG), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets by providing a _to argument in conjunction with a large _value argument, as exploited in the wild in ...