Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/23/2017
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Windows 10 Update Aims to Block Attackers' Behavior

Microsoft protects machines from common attacker behaviors with security updates in Windows 10.

Microsoft unlocked a host of new security and management features in the Windows 10 Fall Creators Update, which started rolling out last week. One of its new tools, Windows Defender Exploit Guard (WDEG), aims to protect businesses from ransomware by blocking common attacker behaviors.

Several studies point to the growth of ransomware hitting enterprise victims. Dark Reading found 35% of businesses were hit with ransomware in the past year, and only 27% believe current anti-malware tech is effective in preventing ransomware.

It's not uncommon for victims to get tricked twice. An ESG Research Insight Report found many organizations have a recurrence of ransomware attacks, with 22% of 300 IT and security pros saying the same ransomware re-infected the same endpoints, and 38% claiming the same ransomware affected other endpoints within the business. Nearly half (46%) had been hit.

Microsoft is aiming to shrink the attack surface for next-gen malware with Windows Defender Exploit Guard, a suite of intrusion prevention tools shipping with the Creators Update. The set includes four parts created to block a range of attack vectors and actor techniques:

  • Attack Surface Reduction (ASR): Controls that block Office-, script-, and email-based threats to prevent malware from getting on the machine
  • Network Protection: Blocks outbound processes to untrusted hosts/IP via Windows Defender Smartscreen to defend against Web-based threats
  • Controlled Folder Access: Blocks untrusted processes from accessing protected folders with sensitive data
  • Exploit Protection: Exploit mitigations replacing EMET that can be configured to protect the systems and applications

Peter Firstbrook, Vice President at Gartner, says the idea is to get at the root cause of how attackers launch ransomware. Currently, AV systems mitigate ransomware by detecting and eliminating malicious files once they are on the endpoint. The problem is, attackers evade these technologies with new tactics to compromise endpoints and execute ransomware without writing anything to disk.

"Attackers are a pretty creative bunch," he explains. "They may just move on to different types of applications and files, or find a way around it … we need to make it harder for attackers, and that's really the key theme here with Windows."

Instead of building security tools to react to new forms of malware, Firstbrook points out how companies like Microsoft, CrowdStrike, and Carbon Black are creating more proactive systems that anticipate hackers' behavior and defend against it.

ASR, one component of WDEG, was built on the idea that email and Office apps are common attack vectors and let actors distribute fileless attacks. It can block behaviors that malicious documents use to execute; for example, it can block Office apps from injecting into process.

Controlled Folder Access, another, locks down critical folders so only authorized applications can access files. Unauthorized apps, like malicious and suspicious files, DLLs, and scripts, will be denied even when they are running with administrator's privilege.

The Controlled folder protects common folders, which contain documents and important data, by default. It's flexible, though, and admins can add other folders they want to be protected. This also allows trusted apps, such as a unique or custom app, to access protected folders. Users are alerted when unauthorized apps attempt to access or change files in protected folders.

"These are more durable changes than the traditional signature-based antivirus approach where we say, 'Is the file good or bad?'" says Firstbrook. "Instead of issuing a new signature, [Microsoft] is saying 'Why are they successful, and let's deal with the root cause.'"

The decision to push automatic updates will also ultimately benefit companies in the fight against ransomware. "With continuous updates, and focus on security, they're responding quickly to changing attack patterns on the OS they weren't before," he adds.

Microsoft isn't the only company buckling down on endpoint security. The growth of ransomware has motivated businesses to think beyond traditional antivirus and host intrusion prevention systems, and build next-gen tools that don't rely on signatures to detect malware.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.