Microsoft unlocked a host of new security and management features in the Windows 10 Fall Creators Update, which started rolling out last week. One of its new tools, Windows Defender Exploit Guard (WDEG), aims to protect businesses from ransomware by blocking common attacker behaviors.
Several studies point to the growth of ransomware hitting enterprise victims. Dark Reading found 35% of businesses were hit with ransomware in the past year, and only 27% believe current anti-malware tech is effective in preventing ransomware.
It's not uncommon for victims to get tricked twice. An ESG Research Insight Report found many organizations have a recurrence of ransomware attacks, with 22% of 300 IT and security pros saying the same ransomware re-infected the same endpoints, and 38% claiming the same ransomware affected other endpoints within the business. Nearly half (46%) had been hit.
Microsoft is aiming to shrink the attack surface for next-gen malware with Windows Defender Exploit Guard, a suite of intrusion prevention tools shipping with the Creators Update. The set includes four parts created to block a range of attack vectors and actor techniques:
- Attack Surface Reduction (ASR): Controls that block Office-, script-, and email-based threats to prevent malware from getting on the machine
- Network Protection: Blocks outbound processes to untrusted hosts/IP via Windows Defender Smartscreen to defend against Web-based threats
- Controlled Folder Access: Blocks untrusted processes from accessing protected folders with sensitive data
- Exploit Protection: Exploit mitigations replacing EMET that can be configured to protect the systems and applications
Peter Firstbrook, Vice President at Gartner, says the idea is to get at the root cause of how attackers launch ransomware. Currently, AV systems mitigate ransomware by detecting and eliminating malicious files once they are on the endpoint. The problem is, attackers evade these technologies with new tactics to compromise endpoints and execute ransomware without writing anything to disk.
"Attackers are a pretty creative bunch," he explains. "They may just move on to different types of applications and files, or find a way around it … we need to make it harder for attackers, and that's really the key theme here with Windows."
Instead of building security tools to react to new forms of malware, Firstbrook points out how companies like Microsoft, CrowdStrike, and Carbon Black are creating more proactive systems that anticipate hackers' behavior and defend against it.
ASR, one component of WDEG, was built on the idea that email and Office apps are common attack vectors and let actors distribute fileless attacks. It can block behaviors that malicious documents use to execute; for example, it can block Office apps from injecting into process.
Controlled Folder Access, another, locks down critical folders so only authorized applications can access files. Unauthorized apps, like malicious and suspicious files, DLLs, and scripts, will be denied even when they are running with administrator's privilege.
The Controlled folder protects common folders, which contain documents and important data, by default. It's flexible, though, and admins can add other folders they want to be protected. This also allows trusted apps, such as a unique or custom app, to access protected folders. Users are alerted when unauthorized apps attempt to access or change files in protected folders.
"These are more durable changes than the traditional signature-based antivirus approach where we say, 'Is the file good or bad?'" says Firstbrook. "Instead of issuing a new signature, [Microsoft] is saying 'Why are they successful, and let's deal with the root cause.'"
The decision to push automatic updates will also ultimately benefit companies in the fight against ransomware. "With continuous updates, and focus on security, they're responding quickly to changing attack patterns on the OS they weren't before," he adds.
Microsoft isn't the only company buckling down on endpoint security. The growth of ransomware has motivated businesses to think beyond traditional antivirus and host intrusion prevention systems, and build next-gen tools that don't rely on signatures to detect malware.
- 'BoundHook' Technique Enables Attacker Persistence on Windows Systems
- New Locky Ransomware Strain Emerges
- 'Hacker Door' Backdoor Resurfaces as RAT a Decade Later
- 10 Social Engineering Attacks Your End Users Need to Know About
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.