Crippling the Cyber Kill Chain
While Digital Transformation is driving exponential growth for organizations, businesses are increasingly being exposed sophisticated cyber threat with complex codes that are hard to detect. The security landscape is changing very swiftly, with record leaks, bank accounts hacks, online frauds making headlines every morning. Clearly the mechanisms in place today aren’t strong enough to protect against these breaches.
The security landscape is changing very fast and must deal with dynamic cyber wars and ‘’Advanced Persistent Threats (APT’s).’’Lockheed-Martin defines Advanced Persistent Threat (APT’s) as:
- Advanced: Targeted, coordinated and purposeful
- Persistent: Month after month, year after year
- Threat: Person with intent, opportunity and capability
Attackers must complete the following stages of Cyber Kill Chain to achieve their objectives:
Endpoints: PROTECT, DETECT and RESPOND
Traditional solutions like Antivirus/AntiSpam aren’t equipped to combat modern day threats on the most vulnerable and valuable target for the intruders, the Endpoints. Let us discuss briefly how endpoints can be protected at each stage of the cyber kill chain and make it more expensive for intruders which destroys their standard playbook.
We have less control on pre-attack reconnaissance/weaponization where the adversary will use various techniques like phishing, spear-phishing, water-holing, social engineering, etc. to learn more about you and develop a weapon to target you. Some hygiene and awareness can be maintained to make the attacker sweat a little at an early stage itself. It may include keeping your ecosystem updated, employee training so that they do not fall prey to phishing and social engineering attacks.
Once the weapon is developed, delivery to you will be attempted. The delivery vector can be an email, browser, USB/DVD or even a vulnerability in your application.
- Protection against unsafe attachments and expanding protection against malicious links
0365 Advanced Threat Protection offers protection against unknown malwares and viruses, malicious URL’s and rich reporting and URL trace capabilities. It also complements the security features of Exchange Online Protection to provide better zero-day protection. This protection blocks the weapon from entering your endpoint via the email channel and the intruder must now rethink on another way to deliver it to you.
- Protection while browsing the web
Windows Defender Application Guard (WDAG) helps isolate enterprise-defined untrusted sites, protecting organizations when their employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. In addition, Edge is sandboxed by default, with inherent security features like Attack Surface Reduction, MEMGC and Control Flow Guard which makes it even more difficult to hack.
Getting tough isn’t it, for the attacker of course!
Exploitation and Installation
Even if the adversary can still get in, execution and installation of the malicious code will be attempted to exploit the vulnerabilities. Once successful, they can still control your endpoint persistently via the command and Control Center(C&C)
- Real Time Protection against known codes
Inbuilt Antivirus/AntiSpam solution (Windows Defender AV) in Windows 10 will block the execution of known malicious code. Advanced capabilities like Cloud Delivered Protection and Block at First Sight help add protection against New Malware within a few seconds.
- Protection against installation of untrusted Applications
Windows Defender Application Control (WDAC) is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust to run.
No space for any malware or ransomware to execute! You don’t trust them, right?
- Protection against vulnerabilities in your Applications and Reduction of Attack Surface
Windows Defender Exploit Guard (WDEG) are a set of Host Intrusion Prevention capabilities which helps reduce the attack surface of the Applications you use. There are four set of capabilities that come along with Exploit Guard
Exploit protection can apply exploit mitigation techniques to your apps.
Attack Surface Reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script and mail based malware
Network Control extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your devices
Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware
Exploitation? No more!
Intruder might try using various techniques like social engineering, stealing the credentials from the LSASS (Pass the Hash Attacks) etc. steal credentials for performing lateral movements to move further in your network.
- Protecting Stored Credentials
Windows Defender Credential Guard (WDCG) is a native capability in Windows 10 which prevents attacks against the credentials by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
- Moving Towards a Password Less World
Just Imagine a world without passwords. What will the attackers use to get access to your values resources?
Windows Hello for Business (WHfb) replaces passwords with strong two-factor authentication on Endpoints This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
Detection and Response at all Stages
We live in a world where we assume Breach and that’s where we see a lot of attacks materializing in large organizations despite the heavy investments they might have done on their Protection mechanisms. We need to detect these breaches early and initiate a timely response so that we can limit the damage caused.
Windows Defender Advanced Threat Protection(WDATP) is an intelligent Endpoint Detection and Response capability in Windows 10 which provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle. This will give you timely insights so that the breach can be responded to in a timely manner.
Advanced Threat Analytics (ATA) is an on-premises platform that helps protect your enterprise from multiple types of advanced targeted cyber attacks and insider threats.
ATA technology detects multiple suspicious activities, focusing on several phases of the cyber-attack kill chain including:+
- Reconnaissance, during which attackers gather information on how the environment is built, what the different assets are, and which entities exist. They generally building their plan for the next phases of the attack.
- Lateral movement cycle, during which an attacker invests time and effort in spreading their attack surface inside your network.
- Domain dominance (persistence), during which an attacker captures the information allowing them to resume their campaign using various sets of entry points, credentials, and techniques.
PUTTING IT ALL TOGETHER!
Windows 10 and Office 365 have built in native capabilities that help address threats at each stage of an attack lifecycle adding to less administrative, performance and cost overhead. These integrated capabilities work well with each other and are empowered with Intelligence through Microsoft Security Intelligence Graph (MISG) . Microsoft's unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph(MISG) that we use to inform how we protect all endpoints, better detect attacks and accelerate our response.