In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share:
- Microsofts roadmap of recommendations to mitigate rapid cyberattacks.
- Outside-in perspectives on rapid cyberattacks and mitigation methods based on a survey of global organizations.
Because of how critical security hygiene issues have become and how challenging it is for organizations to follow the guidance and the multiple recommended practices, Microsoft is taking a fresh approach to solving them. Microsoft is working actively with NIST, the Center for Internet Security (CIS), DHS NCCIC (formerly US-CERT), industry partners, and the cybersecurity community to jointly develop and publish practical guides on critical hygiene and to implement reference solutions starting with these recommendations on rapid cyberattacks as related to patch management.Roadmap of prescriptive recommendations for mitigating rapid cyberattacks
We group our mitigation recommendations into four categories based on the effect they have on mitigating risk:
Mitigate software vulnerabilities that allow worms and attackers to enter and/or traverse an environment
BUSINESS CONTINUITY / DISASTER RECOVERY (BC/DR)
Rapidly resume business operations after a destructive attack
LATERAL TRAVERSAL / SECURING PRIVILEGED ACCESS
Mitigate ability to traverse (spread) using impersonation and credential theft attacks
ATTACK SURFACE REDUCTION
Reduce critical risk factors across all attack stages (prepare, enter, traverse, execute)
Figure 1: Key components of mitigation strategy for rapid cyberattacks
We recognize every organization has unique challenges and investments in cybersecurity (people and technology) and cannot possibly make every single recommendation a top nor immediate priority. Accordingly, we have broken down the primary (default) recommendations for mitigating rapid cyberattacks into three buckets:
- Quick wins: what we recommend organizations accomplish in the first 30 days
- Less than 90 days: what we recommend organizations accomplish in the medium term
- Next quarter and beyond: what we recommend organizations accomplish in the longer term
The following list is our primary recommendations on how to mitigate these attacks.
Figure 2: Microsofts primary recommendations for mitigating rapid cyberattacks
This list has been carefully prioritized based on Microsofts direct experience investigating (and helping organizations recover from) these attacks as well as collaboration with numerous industry experts. This is a default set of recommendations and should be tailored to each enterprise based on defenses already in place. You can read more about the details of each recommendation in the slide text and notes of the published slide deck.
In prioritizing the quick wins for the first 30 days, the primary considerations we used are:
- Whether the measure directly mitigates a key attack component.
- Whether most enterprises could rapidly implement the mitigation (configure, enable, deploy) without significant impact on existing user experiences and business processes.
Figure 3: Mapping each recommendation into the mitigation strategy components
In addition to the primary recommendations, Microsoft has an additional set of recommendations that could provide significant benefits depending on circumstances of the organization:
- Ensure outsourcing contracts and SLAs are compatible with rapid security response
- Move critical workloads to SaaS and PaaS as you are able
- Validate existing network controls (internet ingress, internal Lab/ICS/SCADA isolation)
- Enable UEFI Secure Boot
- Complete SPA roadmap Phase 2
- Protect backup and deployment systems from rapid destruction
- Restrict inbound peer traffic on all workstations
- Use application whitelisting
- Remove local administrator privileges from end-users
- Implement modern threat detection and automated response solutions
- Disable unneeded protocols
- Replace insecure protocols with secure equivalents (TelnetSSH, HTTP HTTPS, etc.)
There are specific reasons why these 12 recommendations, although helpful for certain organizations/circumstances, were excluded from the list of primary recommendations. You can read about those reasons in the slide notes of the published slide deckif interested.Outside-in perspectives on rapid cyberattacks and mitigation methods
In late November 2017 Microsoft hosted a webinar on this topic and solicited feedback from the attendees which comprised of 845 IT professionals from small organizations to large global enterprises. Here are a few interesting insights from the poll questions.
Rapid cyberattack experience
When asked if they had experienced a rapid cyberattack (e.g. WannaCrypt, Petya or other), ~38% stated they did.
Awareness of SPA roadmap
When asked if theyre aware of Microsofts Securing Privileged Access (SPA) roadmap, most, 66%, stated that they were not.
When we asked within how many days (<7 or 30 or 90) they can patch various systems, it seems most respondents believed their team is good at patching quickly:
- 83% can patch workstations within 30 days; 44% within 7 days
- 81% can patch servers within 30 days; 51% within 7 days
- 54% can patch Linux/Other devices within 30 days; 25% within 7 days
Removal of SMBv1
When asked where they are on the path towards removing SMBv1, 26% said they have completed removing it, another 21% said they are in progress or in the process of doing so, and ~18% more are planning to do so.
Adopting roadmap recommendations
When asked what is blocking them from adopting Microsofts roadmap recommendations for securing against rapid cyberattacks, the top three reasons respondents shared are:
- Lack of time
- Lack of resources
- Lack of support from upper management/executive buy-in
To help organizations overcome these challenges, Microsoft can be engaged to:
- Assist with implementing the mitigations described in SPA Roadmap and Rapid Cyberattack Guidance.
- Investigate an active incident with enterprise-wide malware hunting, analysis, and reverse engineering techniques. This includes providing tailored cyberthreat intelligence and strategic guidance to harden the environment against advanced and persistent attacks. Microsoft can provide onsite teams and remote support to help you investigate suspicious events, detect malicious attacks, and respond to security breaches.
- Proactively hunt for persistent adversaries in your environment using similar methods as an active incident response (above).
Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response.
Contact your Microsoft Technical Account Manager (TAM) or Account Executive to learn more about how to engage Microsoft for incident response.More information
We hope you found the 3-part blog series on the topic of rapid cyberattacks and some recommendations on how to mitigate them useful.
For more information and resources on rapid cyber attacks, please visit the additional links here:
On-demand webinar Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar).Additional resources
Tips to mitigate known rapid cyberattacks with Windows 10 (and Windows Defender Advanced Threat Protection):
- New ransomware, old techniques: Petya adds worm capabilities
- Windows 10 platform resilience against the Petya ransomware attack
- Windows 10 Creators Update provides next-gen ransomware protection
- Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack
This last October we saw more countries than ever participate in initiatives to raise cybersecurity awareness. What was once largely a US approach has evolved into events and initiatives around the world by governments, civil society groups, and private sector partners. This increased breadth and depth of activity reflects governments increased understanding of the importance of cybersecurity, not only for their operations but for the lives of their citizens. My teams research indicates that today over half of the worlds countries are leading some sort of national level initiative for cybersecurity, with countless other efforts at sectoral, state, city, or other levels.
However, developing effective approaches to tackling cybersecurity at a national level isnt easy, especially if they are going to have widespread or long-lasting effects. The complexity of developing approaches for an issue that truly touches all aspects of the modern economy and society cannot be understated and if approached in the wrong way can create a quagmire of laws, bodies, and processes. The different aspects of cybersecurity such as promoting online safety, workforce skills development, and critical infrastructure protection, all cut across an unprecedented range of traditional government departments, from defense and foreign affairs, to education and finance. Effectively, cybersecurity is one of the first policy areas that challenges traditional national governance structures and policy making. It is unlikely to be the last, with issues such as artificial intelligence hard on its heels.
To deal with this challenge, governments are exploring new governance models. Some countries have created a dedicated department within a particular ministry, such as India. Others have looked at extending the work traditionally done by the police or a national computer security incident response team, such as Malaysia. Moreover, countries as diverse as Australia, France, Brazil, Indonesia, Tanzania, Belarus, Israel, and Singapore, already have specific bodies of government responsible for cybersecurity.
However, despite the fact that many countries have already taken steps to establish or strengthen their own cybersecurity bodies; no single, optimum, model can be pointed to. The reasons are many, from different governance set ups, to varying levels of investment and expertise available, to the fact that dealing with cybersecurity is a relatively new endeavor for governments.
Taking this variety into account, and coupling it with our own perspective and experience, Microsoft has collected good practices that we believe can support national engagement on cybersecurity. Today we are releasing a new whitepaper: Building an Effective National Cybersecurity Agency. Its core insights center around the following set of recommendations for governments in order to avoid becoming bogged down in cybersecurity challenges that are otherwise avoidable:
- Appoint a single national cybersecurity agency.Having a single authority creates a focal point for key functions across the government, which ensures policies are prioritized and harmonized across the nation.
- Provide the national cybersecurity agency with a clear mandate. Cybersecurity spans different stakeholders with overlapping priorities. Having a clear mandate for the agency will help set expectations for the roles and responsibilities and facilitate the intra-governmental processes.
- Ensure the national cybersecurity agency has appropriate statutory powers. Currently, most national cybersecurity agencies are established not by statute but by delegating existing powers from other parts of government. As cybersecurity becomes an issue for national legislature, agencies might have to be given clear ownership of implementation.
- Implement a five-part organizational structure. The five-part structure we propose in the paper allows for a multifaceted interaction across internal government and regulatory stakeholders, as well as external and international stakeholders, and aims to tackle both regulatory and other cybersecurity aspects.
- Expect to evolve and adapt. Regardless of how the structure of the national cybersecurity agency begins, the unavoidability of change in the technology and threat landscape will require it to evolve and adapt over time to be able to continue to fulfill its mandate.
As the challenges and opportunities that come as a result of ICT proliferation continue to evolve, governments will need to ensure they are sufficiently equipped to face them, both today and in the future. Bringing together diverse stakeholders across different agencies, such as defense, commerce, and foreign affairs, and backgrounds, including those from law, engineering, economics, ad policy, will enable our society to both deal with the threats and harness the opportunities of cyberspace. It is this diversity of stakeholders that contributes to the challenge cybersecurity poses for traditional governance.
But cybersecurity is the first of many emerging areas that necessitates new and creative solutions that allows policymakers to work hand in hand with their counterparts across government, civil society and industry. For cybersecurity, as well as the issues to come, cooperation is the underpinning of achieving these goals. However, cooperation cannot be created organically, it must grow from an effectively structured governance system. Establishing a national cybersecurity agency will enable governments to do just that.
At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and automatically protected by Windows Defender AV.
How did Windows Defender AV uncover the newly launched attack and block it at the outset? Through layered machine learning, including use of both client-side and cloud machine learning (ML) models. Every day, artificial intelligence enables Windows Defender AV to stop countless malware outbreaks in their tracks. In this blog post, well take a detailed look at how the combination of client and cloud ML models detects new outbreaks.
Figure 1. Layered detected model in Windows Defender AVClient machine learning models
In the case of the Emotet outbreak on February 3, Windows Defender AV caught the attack using one of the PE gradient boosted tree ensemble models. This model classifies files based on a featurization of the assembly opcode sequence as the file is emulated, allowing the model to look at the files behavior as it was simulated to run.
Figure 2. A client ML model classified the Emotet outbreak as malicious based on emulated execution opcode machine learning model.
The tree ensemble was trained using LightGBM, a Microsoft open-source framework used for high-performance gradient boosting.
Figure 3a. Visualization of the LightBGM-trained client ML model that successfully classified Emotet’s emulation behavior as malicious. A set of 20 decision trees are combined in this model to classify whether the files emulated behavior sequence is malicious or not.
Figure 3b. A more detailed look at the first decision tree in the model. Each decision is based on the value of a different feature. Green triangles indicate weighted-clean decision result; red triangles indicate weighted malware decision result for the tree.
When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:
- Behavior during emulation, such as API calls and executed code
- Similarity fuzzy hashes
- Vectors of content descriptive flags optimized for use in ML models
- Researcher-driven attributes, such as packer technology used for obfuscation
- File name
- File size
- Entropy level
- File attributes, such as number of sections
- Partial file hashes of the static and emulated content
This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign.Real-time cloud machine learning models
Windows Defender AVs cloud-based real-time classifiers are powerful and complex ML models that use a lot of memory, disk space, and computational resources. They also incorporate global file information and Microsoft reputation as part of the Microsoft Intelligent Security Graph (ISG) to classify a signal. Relying on the cloud for these complex models has several benefits. First, it doesnt use your own computers precious resources. Second, the cloud allows us to take into consideration the global information and reputation information from ISG to make a better decision. Third, cloud-based models are harder for cybercriminals to evade. Attackers can take a local client and test our models without our knowledge all day long. To test our cloud-based defenses, however, attackers have to talk to our cloud service, which will allow us to react to them.
The cloud protection service is queried by Windows Defender AV clients billions of times every day to classify signals, resulting in millions of malware blocks per day, and translating to protection for hundreds of millions of customers. Today, the Windows Defender AV cloud protection service has around 30 powerful models that run in parallel. Some of these models incorporate millions of features each; most are updated daily to adapt to the quickly changing threat landscape. All together, these classifiers provide an array of classifications that provide valuable information about the content being scanned on your computer.
Classifications from cloud ML models are combined with ensemble ML classifiers, reputation-based rules, allow-list rules, and data in ISG to come up with a final decision on the signal. The cloud protection service then replies to the Windows Defender client with a decision on whether the signal is malicious or not all in a fraction of a second.
Figure 4. Windows Defender AV cloud protection service workflow.
In the Emotet outbreak, one of our cloud ML servers in North America received the most queries from customers; corresponding to where the outbreak began. At least nine real-time cloud-based ML classifiers correctly identified the file as malware. The cloud protection service replied to signals instructing the Windows Defender AV client to block the attack using two of our ML-based threat names, Trojan:Win32/Fuerboos.C!cl and Trojan:Win32/Fuery.A!cl.
This automated process protected customers from the Emotet outbreak in real-time. But Windows Defender AVs artificial intelligence didnt stop there.Deep learning on the full file content
Automatic sample submission, a Windows Defender AV feature, sent a copy of the malware file to our backend systems less than a minute after the very first encounter. Deep learning ML models immediately analyzed the file based on the full file content and behavior observed during detonation. Not surprisingly, deep neural network models identified the file as a variant of Trojan:Win32/Emotet, a family of banking Trojans.
While the ML classifiers ensured that the malware was blocked at first sight, deep learning models helped associate the threat with the correct malware family. Customers who were protected from the attack can use this information to understand the impact the malware might have had if it were not stopped.
Additionally, deep learning models provide another layer of protection: in relatively rare cases where real-time classifiers are not able to come to a conclusive decision about a file, deep learning models can do so within minutes. For example, during the Bad Rabbit ransomware outbreak, Windows Defender AV protected customers from the new ransomware just 14 minutes after the very first encounter.Intelligent real-time protection against modern threats
Machine learning and AI are at the forefront of the next-gen real-time protection delivered by Windows Defender AV. These technologies, backed by unparalleled optics into the threat landscape provided by ISG as well as world-class Windows Defender experts and researchers, allow Microsoft security products to quickly evolve and scale to defend against the full range of attack scenarios.
Cloud-delivered protection is enabled in Windows Defender AV by default. To check that its running, go to Windows Settings > Update & Security > Windows Defender. Click Open Windows Defender Security Center, then navigate to Virus & threat protection > Virus &threat protection settings, and make sure that Cloud-delivered protection and Automatic sample submission are both turned On.
In enterprise environments, the Windows Defender AV cloud protection service can be managed using Group Policy, System Center Configuration Manager, PowerShell cmdlets, Windows Management Instruction (WMI), Microsoft Intune, or via the Windows Defender Security Center app.
The intelligent real-time defense in Windows Defender AV is part of the next-gen security technologies in Windows 10 that protect against a wide spectrum of threats. Of particular note, Windows 10 S is not affected by this type of malware attack. Threats like Emotet wont run on Windows 10 S because it exclusively runs apps from the Microsoft Store. Learn more about Windows 10 S. To know about all the security technologies available in Windows 10, read Microsoft 365 security and management features available in Windows 10 Fall Creators Update.
Geoff McDonald, Windows Defender Research
with Randy Treit and Allan Sepillo
Talk to us
Many organizations are undergoing a digital transformation that leverages a mix of cloud and on-premises assets to increase business efficiency and growth. While increased dependence on technology is necessary for this transformation, and to position the business for success, it does pose risks from security threats. An organization cannot afford to wait until after users and systems have been compromised; it must be proactive.
It is impossible to be 100 percent secure. It can take less than 48 hours for attackers to gain complete control of a network, and the median time to discover a breach is 99 days. With incidents costing an average of $141 per lost or stolen recordand some cybersecurity events such as Petya costing $200-310 million, organizations must develop comprehensive risk management plans. These plans must keep a hybrid infrastructure resilient to a range of cyber threats encompassing both established and emerging threats. In addition, plans must help to manage the risk of emerging vulnerabilities, such as the recently disclosed processor vulnerabilities named Spectre and Meltdown.
Microsoft helps multiple global enterprises mitigate business impact by offering prescriptive guidance, as well as partnering with them to build a cyber resiliency plan and roadmap.
To learn more about how Microsoft views the importance of cyber resilience for the modern enterprise, get prescriptive guidance on building a cyber resiliency plan and roadmap, and find out what Microsoft is doing to help enterprises rapidly become resilient to commonly encountered attacks and vulnerabilities, check out these resources:
- Microsoft as a Trusted Advisor and Partner on Cyber Resilience white paper co-authored by members of Microsoft Enterprise Cybersecurity Group
- Cyber Resilience for the Modern Enterprise webinar featuring Diana Kelley (Field Chief Technology Officer) and Shawn Anderson (Executive Security Advisor) from the Microsoft Enterprise Cybersecurity Group
- Securing Azure customers from CPU vulnerability blog from the Microsoft Azure team
Anatomy of a Breach. 2016. Microsoft. (https://info.microsoft.com/Anatomy-of-a-breach-Registration.html?ls=Website)
2017 Cost of a Data Breach Study: Global Overview: Ponemon Institute. (https://www-01.ibm.com/marketing/iwm/dre/signup?source=urx-15763&S_PKG=ov58441)
 NotPetya ransomware cost Merck more than $310 million. (https://www.cyberscoop.com/notpetya-ransomware-cost-merck-310-million)
The word strategy has its origins in the Roman Empire and was used to describe the leading of troops in battle. From a military perspective, strategy is a top-level plan designed to achieve one or more high-order goals. A clear strategy is especially important in times of uncertainty as it provides a framework for those involved in executing the strategy to make the decisions needed for success.
In a corporate or government entity, the primary role of the Chief Information Security Officer (CISO) is to establish a clear cybersecurity strategy and oversee its execution. To establish an effective strategy, one must first understand, and it is recommended to document, the following:
- Resources. The most critical component of a successful strategy is the proper utilization of available resources. As such, a CISO must have a clear picture of their annual budget, including operating and capital expenditures. In addition, the CISO must understand not just the number of vendors and full-time employees under their span of control, but also the capabilities and weaknesses of these resources. The CISO must also have an appreciation for the capabilities of key resources that are essential to effective security but not necessarily under their direct supervision, such as server and desktop administrators, the team responsible for patching, etc. One of the most difficult aspects of the CISO job is that to be successful you must positively influence the actions of other teams whose jobs are critical to the success of the security program, and your career, but who are not under your direct control.
- Business Drivers. At the end of the day, CISOs have a finite amount of resources to achieve goals and cannot apply the same level of protection to all digital assets. To help make resource allocation decisions, the CISO must clearly understand the business they have been charged with protecting. What is most important to the success of the business? Which lines of business produce the most revenue, and which digital assets are associated with those lines? For governments, which services are essential for residents’ health and for maintaining government operations, and which digital assets are associated with those services and functions?
- Data. Data is the lifeblood of most companies and is often the target of cyber criminals, whether to steal or encrypt for ransom. Once business drivers have been identified, the CISO should inventory the data that is important to the lines of business. This should include documenting the format, volume, and locations of the data and the associated data steward. In large organizations, this can be extremely challenging, but it is essential to have a clear picture of the storage and processing of the entitys crown jewels.
- Controls. Before formulating a strategy, the CISO must gain an understanding of the status of the safeguards or countermeasures that have been deployed within an environment to minimize the security risks posed to digital assets. These will include controls to minimize risks to the confidentiality, integrity, or availability of the assets. In determining the sufficiency of a control, assess its design and operating effectiveness. Does the control cover all assets or a subset? Is the control effective at reducing the risk to an acceptable level or is the residual risk still high? For example, one control found to be effective in minimizing risk to the confidentiality of data is to require a second factor of authentication prior to granting access to sensitive records. If such a control is implemented, what percentage of users require a second authentication factor before accessing the companys most sensitive data? What is the likelihood that a user will acknowledge a second factor in error as the result of a phishing test?
- Threats. Identifying the threats to an organization is one of the more difficult tasks in developing a cyber strategy, as cyber threats tend to be asymmetric and constantly evolving. Still, it is important to identify the most likely threat actors and the motivations, tactics, techniques, and procedures used to achieve their goals.
Once a CISO has a clear picture of the items discussed above, they can begin formulating a strategy appropriate to the task at hand. There is no one size fits all approach, as each organization is unique, but there are models and frameworks that have proven helpful over time, including those developed by the National Institute of Standards and Technology, Cyber Kill Chain, Center for Internet Security, SANS, and the Australian Signals Directorate, among others. An effective strategy must also consider human and organizational dynamics. For example, employees will typically work around a control that increases the actual, or perceived, amount of effort to perform a given task, especially when they feel that the effort is not commensurate with the threat being addressed.
At Microsoft, we are continuously evaluating the current threats faced by our customers and building products and services to help CISOs execute their strategies. The design of our products not only accounts for the techniques utilized by cyber attackers, but also incorporates features that address the human dynamics within an enterprise and the staff and retention challenges faced by security teams. A few examples of these design principles in practice include building security features and functions within our productivity tools such as Office 365 Advanced Threat Protection, using auto-classification to reduce the workload on end users with Azure Information Protection, and increasing the efficiency and effectiveness of security teams with Windows Defender Advanced Threat Protection.
In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how they are different in terms of execution and outcome. Next, we will go into some more details on the Petya (aka NotPetya) attack.How Petya worked
The Petya attack chain is well understood, although a few small mysteries remain. Here are the four steps in the Petya kill chain:
Figure 1:How the Petya attack worked
- Prepare – The Petya attack began with a compromise of the MEDoc application. As organizations updated the application, the Petya code was initiated.
- Enter – When MEDoc customers installed the software update, the Petya code ran on an enterprise host and began to propagate in the enterprise.
- Traverse – The malware used two means to traverse:
- Exploitation Exploited vulnerability in SMBv1 (MS17-010).
- Credential theft Impersonated any currently logged on accounts (including service accounts).
- Note that Petya only compromised accounts that were logged on with an active session (e.g. credentials loaded into LSASS memory).
- Execute – Petya would then reboot and start the encryption process. While the screen text claimed to be ransomware, this attack was clearly intended to wipe data as there was no technical provision in the malware to generate individual keys and register them with a central service (standard ransomware procedures to enable recovery).
Although it is unclear if Petya was intended to have as widespread an impact as it ended up having, it is likely that this attack was built by an advanced group, considering the following:
- The Petya attack wiped the event logs on the system, which is unneeded as the drive was wiped later anyways. This leaves an open question on whether this is just standard anti-forensic practice (as is common for many advanced attack groups) or whether there were other attack actions/operations being covered up by Petya.
- The supply chain approach taken by Petya requires a well-funded adversary with a high level of investment into attack skills/capability. Although supply chain attacks are rising, these still represent a small percentage of how attackers get into corporate environments and require a higher degree of sophistication to execute.
Our observation was that Petya spread more by using identity impersonation techniques than through MS17-010 vulnerability exploitation. This is likely because of the emergency patching initiatives organizations followed to deploy MS17-010 in response to the WannaCrypt attacks and associated publicity.
The Petya attacks also resurfaced a popular misconception about mitigating lateral traversal which comes up frequently in targeted data theft attacks. If a threat actor has acquired the credentials needed for lateral traversal, you can NOT block the attack by disabling execution methods like PowerShell or WMI. This is not a good choke point because legitimate remote management requires at least one process execution method to be enabled.
Figure 2:How the Petya attack spreads
Youll see in the illustration above that achieving traversal requires three technical phases:
1st phase: Targeting Identify which machines to attack/spread to next.
Petyas targeting mechanism was consistent with normal worm behavior. However, Petya did include a unique innovation where it acquired IPs to target from the DHCP subnet configuration from servers and DCs to accelerate its spread.
2nd phase: Privilege acquisition Gain the privileges required to compromise those remote machines.
A unique aspect of Petya is that it used automated credential theft and re-use to spread, in addition to the vulnerability exploitation. As mentioned earlier, most of the propagation in the attacks we investigated was due to the impersonation technique. This resulted in impersonation of the SYSTEM context (computer account) as well as any other accounts that were logged in to those systems (including service accounts, administrators, and standard users).
3rd phase: Process execution Obtain the means to launch the malware on the compromised machine.
This phase is not an area we recommend focusing defenses on because:
- An attacker (or worm) with legitimate credentials (or impersonated session) can easily use another available process execution method.
- Remote management by IT operations requires at least one process execution method to be available.
Because of this, we strongly advise organizations to focus mitigation efforts on the privilege acquisition phase (2) for both rapid destruction and targeted data theft attacks, and not prioritize blocking at the process execution phase (3).
Figure 3:Most Petya propagations were due to impersonation (credential theft)
Because of the dual channel approach to propagation, even an organization that had reached 97% of their endpoints with MS17-010 patching was infected enterprise-wide by Petya. This shows that mitigating just one vector is not enough.
The good news here is that any investment made into credential theft defenses (as well as patching and other defenses) will directly benefit your ability to stave off targeted data theft attacks because Petya simply re-used attack methods popularized in those attacks.Attack and Recovery Experience: Learnings from Petya
Many impacted organizations were not prepared for this type of disaster in their disaster recovery plan. The key areas of learnings from real world cases of these attacks are:
Figure 4:Common learnings from rapid cyberattack recovery
Offline Recovery Required Many organizations affected by Petya found that their backup applications and Operating System (OS) deployment systems were taken out in the attack, significantly delaying their ability to recover business operations. In some cases, IT staff had to resort to printed documentation because the servers housing their recovery process documentation were also down.
Communications down Many organizations also found themselves without standard corporate communications like email. In almost all cases, company communications with employees was reliant on alternate mechanisms like WhatsApp, copy/pasting broadcast text messages, mobile phones, personal email addresses, and Twitter.
In several cases, organizations had a fully functioning Office 365 instance (SaaS services were unaffected by this attack), but users couldnt access Office 365 services because authentication was federated to the on premises Active Directory (AD), which was down.More information
To learn more about rapid cyber attacks and how to protect against them, watch the on-demand webinar: Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar).
Look out for the next and final blog post of a 3-part series to learn about Microsoft’s recommendations on mitigating rapid cyberattacks.
There has been an increase in free versions of programs that purport to scan computers for various errors, and then use alarming, coercive messages to scare customers into buying a premium version of the same program. The paid version of these programs, usually called cleaner or optimizer applications, purportedly fixes the problems discovered by the free version. We find this practice problematic because it can pressure customers into making unnecessary purchase decisions.
To help protect customers from receiving such coercive messaging, we are updating our evaluation criteria to specify that programs must not use alarming or coercive messaging that can put pressure on customers into making a purchase or performing other actions. We use the evaluation criteria to determine what programs are identified as malware and unwanted software. In the future, programs that display coercive messaging will be classified as unwanted software, detected, and removed.
This update comes in addition to our other long-standing customer protection requirements designed to keep our customers from being deceived by programs that display misleading, exaggerated, or threatening messages about a systems health. In February 2016, we required cleaner and optimizer programs that purport to clean up systems and optimize performance to provide customers with detailed information about what purportedly needs to be fixed. This requirement aims to protect customers from programs that present aggregate “error results with no specific details, without providing customers with the ability to assess and validate the so-called errors.
We have recently updated our evaluation criteria to state:
Unwanted behaviors: coercive messaging
Programs must not display alarming or coercive messages or misleading content to pressure you into paying for additional services or performing superfluous actions.
Software that coerces users may display the following characteristics, among others:
- Reports errors in an exaggerated or alarming manner about the users system and requires the user to pay for fixing the errors or issues monetarily or by performing other actions such as taking a survey, downloading a file, signing up for a newsletter, etc.
- Suggests that no other actions will correct the reported errors or issues
- Requires the user to act within a limited period of time to get the purported issue resolved
Starting March 1, 2018, Windows Defender Antivirus and other Microsoft security products will classify programs that display coercive messages as unwanted software, which will be detected and removed. If you are software developer and want to validate the detection of your programs, visit the Windows Defender Security Intelligence portal.
Customer protection is our top priority. We adjust, expand, and update our evaluation criteria based on customer feedback and in order to capture the latest developments in unwanted software and other threats. We encourage our customers to submit programs that exhibit unwanted behaviors related to coercive messaging, or other unwanted or malicious behaviors in general.
Windows Defender Security Research
Talk to us
In December, the Internet Governance Forum (IGF) brought the world together to talk about the internet. I tend to take a definite interest in cybersecurity, but there were many more important topics discussed. They ranged from diversity in the technology sector through to philosophy in the digital age. Cybersecurity was, nonetheless, a major theme. My colleagues and I found an agenda packed with varied sessions that sought to tackle anything from effective cooperation between CERTS, the difficulties in developing an international framework for cybersecurity norms and other issues the Digital Geneva Convention touches on, to the very real cross-border legal challenges in cloud forensics.
The real strength of the IGF is not just its breadth of topics, but also the way in which it deliberately fosters multi-stakeholder discussions. Delegates have equal voices, whether they are civil society groups, governments, or businesses. And while there were differences in opinion and perspectives, all are heard and as such contribute to richer conversations, and ultimately more valuable outcomes.
Certainly, the expectation is not that there would be immediate policy outcomes from the IGF. Ideas need time to grow and evolve. The exchanges of ideas can and does contribute to decision-making for Microsoft, and hopefully across the other participants attending. I found it particularly valuable to hear the voices and opinions of the civil society. Whether it was hearing a perspective of humanitarian actors, or understanding the challenges related to cybersecurity policy making in emerging markets.
Microsoft believes that this wider discussion among stakeholders leads to deeper understanding of the complex challenges posed by cyberspace. Thats why we took the opportunity of this years IGF to organize a series of both smaller and individualized, as well as larger discussions around the different aspects of our proposal for a Digital Geneva Convention. The discussions investigated what the industry tech accord could involve and what the civil society would like us to do as an industry, but they also looked at the feasibility of creating a convention that would protect civilians and civilian infrastructure in cyberspace from harm by states and at what the path on that decade long road would be. We will be taking these insights and ideas back with us and incorporating them into our plans for 2018.
The Digital Geneva Convention was however by far not the only cybersecurity-focused topic we engaged in. There were sessions that looked at increasing CERT capacities, encryption, the exchange of cybersecurity best practices within IGF, as well those that sought to outline the future of global cybersecurity capacity building, which we believe is essential to the worlds collective ability to respond to cyber-attacks and needed both for individual countries and at the level of regional groupings such as ASEAN and the OAS. We also previewed the research that we are planning to publish shortly that looks at the latest global cybersecurity policy and legislative trends, analyzing data from over 100 countries and highlighting increased activity across critical infrastructure policies, militarization of cyberspace continues, expansion of law enforcement powers, cybercrime legislation, and cybersecurity skills concerned. Overall, my colleagues across Microsoft contributed to over 20 different sessions and panels, including on affordable access to the internet, where we were able to outline elements of our Airband Initiative, digital civility, where we presented the results of our latest study (to be released publicly shortly), future of work and artificial intelligence, and others.
Multi-stakeholder fora like the IGF are essential to preserving an open, global, safe, secure, resilient, and interconnected Internet. What the world needs is more such broad-based, holistic policy discussions. When it comes to building policy in cyberspace, policy-makers must acknowledge the interdependence of economic, socio-cultural, technological, and governance factors. That means they should actively foster more multi-stakeholder policy development for a, learning from the IGF. For the technology sector and civil society groups, our task must be to continue to push for inclusive, open, transparent, bottom-up policy-making, and to make the most of the opportunities that do exist.