Download presentation
Presentation is loading. Please wait.
Published byGerda Lauritzen Modified over 6 years ago
1
Windows Defender Exploit Guard: Reducing the attack surface
9/19/2018 4:47 PM BRK2084 Windows Defender Exploit Guard: Reducing the attack surface Misha Kutsovsky, Nate Nunez, Jimmy Luo Program Managers #BRK2084 © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Agenda Learn about Windows Defender Exploit Guard (WDEG)
Tech Ready 15 9/19/2018 Agenda Learn about Windows Defender Exploit Guard (WDEG) Attack Surface Reduction Controlled Folder Access Network Protection Exploit Protection Watch WDEG in action Takeaway: New set of Intrusion Prevention tools to keep your company safe Protect against macro-, -,script based threats Prevent Data from access by untrusted processes Stop web based threats by blocking the outbound connection Reduce the exploitability of applications with built-in EMET like memory mitigations © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
3
The Windows 10 Security Landscape
9/19/2018 4:47 PM The Windows 10 Security Landscape © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
The Windows 10 defense stack
9/19/2018 The Windows 10 defense stack PRE-BREACH POST-BREACH Device protection Device Health attestation Device Guard Device Control Security policies Threat resistance SmartScreen AppLocker Device Guard Windows Defender Network/Firewall Built-in 2FA Account lockdown Credential Guard Microsoft Passport Windows Hello :) Identity protection Information protection Device protection / Drive encryption Enterprise Data Protection Conditional access Device protection Threat resistance Identity protection Information protection Breach detection investigation & response Conditional Access Windows Defender ATP Device integrity Device control BitLocker and BitLocker to Go Windows Information Protection Edge/SmartScreen Firewall Device Guard Application Guard Antivirus Exploit Guard Windows Hello :) Credential Guard © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION
5
End to End Protection OFF MACHINE ON OFF MACHINE MACHINE PRE-BREACH
POST-BREACH OFF MACHINE ON MACHINE OFF MACHINE Locked Down Devices Windows 10S Device Guard Credential Guard VSM Windows Defender Exploit Guard (HIPS) Attack Surface Reduction Set of rules to customize the attack surface Controlled Folder Access Protecting data against access by untrusted process Exploit Protection Mitigations against memory based exploits Network Protection Blocking outbound traffic to low rep sources O365 ( ) Reducing attack vector Advanced sandbox detonation One Drive (Cloud Storage) Reliable versioned file storage in the cloud Point in time file recovery Windows Defender Antivirus (AV) Improved ML and heuristic protection Instantly protected with the cloud Enhanced Exploit Kit Detections Windows Defender Antivirus Behavioral Engine (Behavior Analysis) Windows Defender ATP (Advanced Threat Protection) Application Control (Whitelisting) Whitelisting application Edge (Browser) Browser hardening Reduce script based attack surface App container hardening Reputation based blocking for downloads SmartScreen Enhanced behavioral and machine learning detection Memory scanning capabilities Process tree visualizations Artifact searching capabilities Machine Isolation and quarantine App Guard (Virtualized Security) App isolation
6
Why Windows Defender Exploit Guard?
9/19/2018 4:47 PM Why Windows Defender Exploit Guard? © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
Three Part Strategy Block attacks at the front line
US CIO Summit – Fall 2010 9/19/2018 Three Part Strategy Block attacks at the front line Raise attacker costs to compromise entry points Defenses to minimize damage Assume front line defenses will fail Raise attacker cost to cause damage to environment Prevent Lateral Movement Recovery + Response Assume all defenses will fail Rapid response to detect threats and disrupt attack(s) Restore data from backups that are inaccessible to attackers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8
Securing apps with Exploit Guard
Reduce the attack surface of applications while balancing security with productivity APPS WINDOWS DEVICES Minimize the Attack surface Signature-less, control entry vectors, based on cloud intelligence. Attack surface reduction (ASR) controls, such as behavior of Office Macros Data driven Software defense Break exploitation techniques Modern exploit mitigations for your Apps Protect legacy applications, without recompilation EVALUATE MITIGATIONS ANALYZE ATTACKS Contain damage & prevent persistence Protect sensitive folders, processes, and data assets from undetected malware and unknown threats Limit the window of exposure to threats Respond to emerging exploits or threats. Reactively turn on anti-exploit mitigations and set ASR controls. BUILD MITIGATIONS
9
Attack Surface Reduction (ASR) Rules
9/19/2018 4:47 PM Attack Surface Reduction (ASR) Rules © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
10
Email borne Ransomware
Malicious received Profitable Model Targets the end user Attacks can rapidly scale Anonymous w/ BTC Office/JS/ Zip/Lnk/Power Shell / etc User opens mail COMMAND AND CONTROL Ignores warning? Running file . . . ENCRYPTED
11
Demo: Clicking Email on the wrong email
9/19/2018 4:47 PM Demo: Clicking on the wrong © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
12
Office Files Example Smart-ASR control provides the ability to block behavior that balances security & productivity Office files (e.g. docx, docm, pptx, pptm, etc) Blocking Office files, severely impacts productivity (as there are way more good files than malicious files) Office files w/ macros Blocking Office files w/ macros, still impacts productivity (as there might be the occasional use for legit macro). Office files w/ macros, that execute content Blocking Office files w/ macros that execute content, is far less impactful on legit productivity, while dramatically improving security. Smart controls provided by WD Exploit Guard Office files w/ macros, that download & execute content Blocking Office files w/ macros that download and execute content, is almost exclusive behavior of bad files. Thus negligent impact on productivity, with dramatic security benefit. Good files Malicious files
13
Intelligent attack surface reduction rules
Script rules Block obfuscated JS/VBS/PS/Macro code Block JS/VBS from executing payload downloaded from Internet Office rules Block Office apps from creating executable content Block Office apps from launching child process Block Office apps from injecting into process Block Win32 imports from macro code in Office rule Block execution of executable content dropped from (webmail/mail-client)
14
Audit -> Block Flow Proactive Reactive 1 3 2 1 Review impact
Turn on ASR controls in Audit Turn on ASR controls in Blocking Reactive 1
15
Manageability All Exploit Guard capabilities are easily manageable
Windows Defender Exploit Guard Windows Defender Exploit Guard – Attack Surface Reduction Manageability Create rules to reduce the attack surface on the managed devices. You can block running of suspicious executables in macros, scripts & s or you can allow them while still auditing. Learn more about Attack Surface Reduction All Exploit Guard capabilities are easily manageable Group Policy MDM Intune SCCM Attack Surface Reduction 2 setting available Attack Surface Reduction rules Rules to prevent Office Macro threats Office apps injecting into other processes Office apps/macros creating executable content Office apps launching child processes Win32 imports from Office macro code Rules to prevent script threats Obfuscated js/vbs/ps/macro code js/vbs executing payload downloaded from Internet Rules to prevent threats Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from (webmail/mail client) Attack Surface Reduction exceptions Controlled folder access 3 settings available Network filtering 1 setting available Exploit protection 1 setting available Block Audit only OK
16
ATP Integration
17
ATP Integration
18
Demo: Blocking Attack Surface Reduction
19
Blocking Zero Day/New Exploits
20
Controlled Folder Access
9/19/2018 4:47 PM Controlled Folder Access © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
21
Ransomware mess Dominating security headlines Nightmare for victims
Business Disruptive Reputation damaged Access to data lost In need of the encryption key Stressing out over Bitcoins
22
Ransomware – Mechanics
US CIO Summit – Fall 2010 9/19/2018 Ransomware – Mechanics Anonymity is key Extensive use of obfuscation to hide location/ownership of C2 servers, payment infrastructure Rapidly Changing Constantly trying new vectors of attack Underlying code changing for evasion Extremely Damaging Once compromised, charges Bitcoin in exchange for providing decryption key Data loss can still occur even after paying the ransom 2. Files Encrypted 4. Victim sends ransom payment 3. Payment demand shown 5. Decryption key promised upon receipt of funds Victim infrastructure 1. Target infected by ransomware © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
23
Locky Daily Encounter Rate - Normalized
C2 encrypted & encoded New file extension New config Encrypted C2 Developers are constantly tweaking Locky. Why? Evasion. Authors know we’re on to them. Hashed Registry Entries Obfuscation New config format Locky v1 No obfuscation New file extensions Different DLL
24
Mitigation is hard Whitelisting applications is painful
Loss of productivity Application exploits remain unpatched Backup & Recovery is inconsistent/latent User education and training has dubious outcomes
25
Protect customer data from unauthorized access!!
26
Controlled folder access
Simplified Approach: Protect default known folders Smart application whitelisting Highly Compatible Designed to slow down Ransomware
27
Additional Configurations
Add Allowed Applications Works w/ AV Exclusions Monitored Folders Additional Protected Folders
28
Demo: Blocking Ransomware Controlled Folder Access
29
Network Protection 9/19/2018 4:47 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
30
Threat Overview The Internet is a dangerous place Phishing Malware
Scams Exploits
31
Threat Overview End users are the weakest link in the kill chain
Bad guys are highly motivated Huge $$$ Can scale massively Adaptable
32
End Result Bad guys convince employees to: Share their work password
Download malware on to work device (and network!) Run exploit kits
33
These threats can all be stopped by killing the outbound connection.
The Solution These threats can all be stopped by killing the outbound connection.
34
makes it available to all browsers and processes.
Network Protection takes Windows Defender SmartScreen’s industry-leading protection… makes it available to all browsers and processes.
35
How Network Protection Works
On host device, look at outbound connections HTTP, HTTPS Check URL reputation in the cloud IP, Hostname Block low rep sites Cloud Intelligence Check URL Reputation Local cache for fast lookup Windows Service Update local cache Destination IP or Host HTTPS TCP IP Network Filter Driver Outgoing connections
36
URL Reputation: Closed Loop Intelligence Systems
ML Intelligence Systems Business Processes Business Protection Layer Biz Policy Rep Data Grading Reputation Service Rep Data External Data Telemetry Data Reputation Lookup 9.4 billion Windows Devices Telemetry 1.5 billion 500,000,000
37
Best-in-class Phishing Protection
38
Socially-engineered malware
39
Attack Surface Internet Device Phish domain Command & control
username: password: Call home Download payload malware.exe Payload
40
Demo: Blocking Malware from Calling Home
41
Demo: Blocking Phishing Attacks in Chrome
42
Advantages of Network Protection
Configurable: Turn it on with a single switch Simple: Baked into Windows as a native feature Mobile: Works even when end user is not on corporate network Powerful: SmartScreen’s best-in-class protection in all browsers and applications
43
Exploit Protection 9/19/2018 4:47 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
44
Exploit Protection Then
45
Exploit Protection Then vs. Now
46
Exploit Protection Then vs. Now
47
Exploit Protection Value Proposition
Reduce memory vulnerabilities Guard against: Buffer overflows, Double free, Use after free Restrict access to critical APIs and functions Guard against: API hijacking, Elevation-of-privilege (EOP) Protect legacy applications Guard against: Return-oriented programming (ROP)
48
Exploit Protection Easy to Use
Configure mitigation settings using WDSC UI or PowerShell Manage settings through SCCM/MDM/GP The ProcessMitigations PowerShell module includes a converter for EMET settings
49
Exploit Protection Easy to Use
Events are created whenever mitigations are triggered Events are triggered in both audit and enforcement mode
50
Exploit Protection New Mitigations
Export Address Filtering (EAF/EAF+) Validate API Invocation (CallerCheck) Import Address Filtering (IAF) Validate Stack Integrity (StackPivot) Simulate Execution (SimExec)
51
Exploit Protection All Mitigations
Arbitrary Code Guard (ACG) Force Randomization for Images (Mandatory ASLR) Block Low Integrity Images Randomize Memory Allocations (Bottom-Up ASLR) Block Remote Images Block Untrusted Fonts Simulate Execution (SimExec) Control Flow Guard (CFG) Validate API Invocation (CallerCheck) Code Integrity Guard Validate Exception Chains (SEHOP) Data Execution Prevention (DEP) Validate Handle Usage Disable Extension Points Validate Heap Integrity Disable Win32k System Calls Validate Image Dependency Integrity Do Not Allow Child Processes Validate Stack Integrity (StackPivot) Export Address Filtering (EAF and EAF+) Import Address Filtering (IAF)
52
Exploit Protection All Mitigations
Arbitrary Code Guard (ACG) Force Randomization for Images (Mandatory ASLR) Block Low Integrity Images Randomize Memory Allocations (Bottom-Up ASLR) Block Remote Images Block Untrusted Fonts Simulate Execution (SimExec) Control Flow Guard (CFG) Validate API Invocation (CallerCheck) Code Integrity Guard Validate Exception Chains (SEHOP) Data Execution Prevention (DEP) Validate Handle Usage Disable Extension Points Validate Heap Integrity Disable Win32k System Calls Validate Image Dependency Integrity Do Not Allow Child Processes Validate Stack Integrity (StackPivot) Export Address Filtering (EAF and EAF+) Import Address Filtering (IAF)
53
Exploit Protection All Mitigations
Arbitrary Code Guard (ACG) Force Randomization for Images (Mandatory ASLR) Block Low Integrity Images Randomize Memory Allocations (Bottom-Up ASLR) Block Remote Images Block Untrusted Fonts Simulate Execution (SimExec) Control Flow Guard (CFG) Validate API Invocation (CallerCheck) Code Integrity Guard Validate Exception Chains (SEHOP) Data Execution Prevention (DEP) Validate Handle Usage Disable Extension Points Validate Heap Integrity Disable Win32k System Calls Validate Image Dependency Integrity Do Not Allow Child Processes Validate Stack Integrity (StackPivot) Export Address Filtering (EAF and EAF+) Import Address Filtering (IAF)
54
Exploit Protection Technical Design
WDSC UI PS MDM/GP XML and Middleware app.exe hits mitigation WDATP RecommendedSettings.xml Event Log
55
Demo: Turning Mitigations On Exploit Protection
56
Demo: Mitigating Real Attacks Exploit Protection
58
Session resources Suite announcement
9/19/2018 4:47 PM Session resources Suite announcement Introducing Exploit Protection and Controlled Folder access Technet Documentation © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
59
Ignite 2017 Windows Defender ATP (& related) sessions
9/19/2018 4:47 PM *Please check Ignite scheduling tool prior to session time Ignite 2017 Windows Defender ATP (& related) sessions Code Day Time Title BRK2082 Monday 2:15 PM - 3:30 PM What's new in Windows 10 security? Raising your security bar with the Fall Creators Update! BRK3063 Tuesday 11:30 AM - 12:15 PM Next-Gen AV: Windows Defender Antivirus unleashed BRK2072 12:30 PM - 1:45 PM Next-gen preventative protection with Windows Defender Advanced Threat Protection BRK2083 Drill down: What’s new in the Fall Creators Update for Windows Defender ATP BRK2281 4:00 PM - 5:15 PM Protect, detect and respond to cyber-attacks with threat protection BRK3062 Wednesday 12:45 PM - 1:30 PM Automated response with Windows Defender ATP BRK2060 3:15 PM - 4:00 PM How Microsoft uses Windows Defender ATP - Welcome to a SecOps world! BRK2084 Windows Defender Exploit Guard: Reducing the Attack Surface of applications while balancing productivity and security BRK3375 Thursday 9:00 AM - 10:15 AM Windows Defender ATP machine learning: Detecting new and unusual breach activity BRK3068 A real-world customer cyber security journey BRK2438 Ransomware: Don't pay the ransom BRK2079 Secure Windows 10 with Intune, Azure AD and System Center Configuration Manager BRK3064 4:30 PM - 5:15 PM Windows Defender ATP now extends beyond Windows clients. BRK2059 Friday Your attacker thinks like my attacker: A common threat model to create better defense BRK2058 Investigate and shut down attacks more precisely than ever before with Windows Defender ATP © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
60
9/19/2018 4:47 PM Q&A If you have questions please proceed to the Q&A MICROPHONE located in your session room. © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
61
Please evaluate this session
Tech Ready 15 9/19/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
62
9/19/2018 4:47 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.