Exploits do not Stop Evolving, and Neither Should Security
I’ve written a few posts on security lately, and on what Microsoft is continuing to do in this area – particularly around a suite of (increasingly) integrated solutions rather than a single point product. Think EM+S and Microsoft 365 – but only if you’ve had a coffee today.
One of my favourites (yes I am that much of a geek) is Windows Defender Advanced Threat Protection. I think I’ve said before – don’t let the name fool you. This is so much more than antivirus.
If you still haven’t subscribed to the Microsoft security blog and have any Microsoft solutions in your environment whether Identity, Devices, Apps and Infrastructure, you need to. Stay up to date on what Microsoft is providing in this arena – go there now. They still have a way to get post updates using RSS – although I think we’ve missed something in the really simple part of RSS. https://blogs.microsoft.com/microsoftsecure/
I read an interesting article on the very same blog recently about a software supply chain compromise. Basically, this is where you download an app from a ‘trusted’ source (because they’re a trusted vendor right?!) and something in the software you’ve downloaded has a dependency on another app or component that contains malware.
In this case the downloaded application used a component from a software partner for part of its installation, which had been injected with a malicious payload. Only when the app was installed, did it connect to a web site that installed not only the expected components but coin mining software from another web site, due to some really smart tampering with an MSI. After a device restart, they also replaced the malicious MSI with the legitimate one to aid in avoiding detection.
Nasty! How do you protect against this type of thing? (It deserves a line of its own)
Windows Defender Advanced Threat Protection
The article states that Windows Defender Advanced Threat Protection (herein known as WD-ATP) immediately detected the suspicious activity carried out by the malicious MSI installer.
It didn’t do this based on AV definitions, but a combination of an unsigned MSI being called in a specific way (anomalous behaviour), modification of host file entries and communication to a suspicious web site.
AV will detect this now – I’m sure of it. It’s a known compromise that has been identified and shut down. This one is different, in that it didn’t try to steal information or encrypt files demanding ransom. However, before AV was aware of this, I’d hate to have been compromised and have my resources used for coin mining for someone else’s profit! I also don’t want to be a victim of the next software supply chain compromise and be waiting for an AV definition to be released.
Remember that WD-ATP is a cloud service and has so much more investigative, reporting information and isolation capabilities available than this one example of detection and remediation. So, when my devices are not in my border protected boundary, I have more capability to protect from malicious intent. Have a look at a quick 5-minute overview of some of the WD-ATP capabilities here https://youtu.be/qxeGa3pxIwg
WDATP also provides users with a Security Score dashboard that provides your organisation with a security rating, shedding light on areas that require attention, as well as recommendations to reduce attack risk! To read this post, click here