Crippling the Cyber Kill Chain

While Digital Transformation is driving exponential growth for organizations, businesses are increasingly being exposed to a sophisticated cyber threat with complex codes that are hard to detect. The security landscape is changing very swiftly, with record leaks, bank accounts hack, online frauds making headlines every morning. The mechanisms in place today aren’t strong enough to protect against these breaches.

The security landscape is changing very fast and must deal with dynamic cyber wars and “Advanced Persistent Threats (APT’s).” Lockheed-Martin defines Advanced Persistent Threat (APT’s) as:

Advanced: Targeted, coordinated and purposeful

Persistent: Month after month, year after year

Threat: Person with intent, opportunity, and capability

Attackers must complete the following stages of Cyber Kill Chain to achieve their objectives:

Endpoints: PROTECT, DETECT and RESPOND

Traditional solutions like Antivirus/Antispam aren’t equipped to combat modern-day threats on the most vulnerable and valuable target for the intruders, the Endpoints. Let us discuss briefly how endpoints can be protected at each stage of the cyber kill chain and make it more expensive for intruders which destroy their standard playbook.

Reconnaissance/Weaponization

We have fewer controls on a pre-attack reconnaissance/Weaponization where the adversary will use various techniques like phishing, spear-phishing, water-holing, social engineering, etc. to learn more about you and develop a weapon to target you. Some hygiene and awareness can be maintained to make the attacker sweat a little at an early stage itself. It may include keeping your ecosystem updated, employee training so that they do not fall prey to phishing and social engineering attacks.

Delivery

Once the weapon is developed, delivery to you will be attempted. The delivery vector can be an email, browser, USB/DVD, or even vulnerability in your application.

Protection against unsafe attachments and expanding protection against malicious links

0365 Advanced Threat Protection offers protection against unknown malware and viruses, malicious URL’s and rich reporting and URL trace capabilities. It also complements the security features of Exchange Online Protection to provide better zero-day protection. This protection blocks the weapon from entering your endpoint via the email channel and the intruder must now rethink another way to deliver it to you.

Protection while browsing the web

Windows Defender Application Guard (WDAG)helps isolate enterprise-defined untrusted sites, protecting organizations when their employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge, Internet Explorer, or any other web browser application such as Google Chrome & Mozilla Firefox, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. Besides, Edge is sandboxed by default, with inherent security features like Attack Surface Reduction, MEMGC, and Control Flow Guard which makes it even more difficult to hack.

Getting tough isn’t it, for the attacker of course!

Exploitation and Installation

Even if the adversary can still get in, execution and installation of the malicious code will be attempted to exploit the vulnerabilities. Once successful, they can still control your endpoint persistently via the Command and Control (C&C)

Real-Time Protection against known codes

Inbuilt Antivirus/Antispam solution (Windows Defender AV) in Windows 10 will block the execution of known malicious code. Advanced capabilities like Cloud-Delivered Protection and Block at First Sight help add protection against New Malware within a few seconds.

Protection against the installation of untrusted Applications

Windows Defender Application Control (WDAC) is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control flips the model from one where all applications are assumed trustworthy by default to one where applications must earn trust to run.

No space for any malware or ransomware to execute! You don’t trust them, right?

Protection against vulnerabilities in your Applications and Reduction of Attack Surface

Windows Defender Exploit Guard (WDEG) is a sets of Host Intrusion Prevention capabilities that help reduce the attack surface of the Applications you use. There are four sets of capabilities that come along with Exploit Guard

Exploit protection can apply to exploit mitigation techniques to your apps.

Attack Surface Reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script and mail-based malware

Network Control extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your devices

Controlled Folder Access helps protect files in key system folders from changes made by malicious and suspicious applications, including file-encrypting ransomware malware

Exploitation? No more!

Privilege Escalation

The intruder might try using various techniques like social engineering, stealing the credentials from the LSASS (Pass the Hash Attacks), etc. steal credentials for performing lateral movements to move further in your network.

Protecting Stored Credentials

Windows Defender Credential Guard (WDCG) is a native capability in Windows 10 which prevents attacks against the credentials by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

Moving Towards a Password Less World

Just Imagine a world without passwords. What will the attackers use to get access to your values resources?

Windows Hello for Business (WHfb) replaces passwords with strong two-factor authentication on Endpoints This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.

Detection and Response at all Stages

We live in a world where we assume Breach and that’s where we see a lot of attacks materializing in large organizations despite the heavy investments, they might have done on their Protection mechanisms. We need to detect these breaches early and initiate a timely response so that we can limit the damage caused.

Windows Defender Advanced Threat Protection (WDATP) is an intelligent Endpoint Detection and Response capability in Windows 10 which provides preventative protection, detects attacks, and zero-day exploits and gives you centralized management for your end-to-end security lifecycle. This will give you timely insights so that the breach can be responded to on time.

PUTTING IT ALL TOGETHER!

Windows 10 and Office 365 have built-in native capabilities that help address threats at each stage of an attack lifecycle adding to less administrative, performance, and cost overhead. These integrated capabilities work well with each other and are empowered with Intelligence through Microsoft Security Intelligence Graph (MISG). Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an intelligent security graph (MISG) that we use to inform how we protect all endpoints, better detect attacks and accelerate our response.