Viruses-coders: Microsoft has prepared a vaccine

  

The other day in Russia, one of the largest and "noisy", judging by the press, cyber attacks occurred: the attack of intruders has been the network of several departments and major organizations, including the Ministry of Internal Affairs. The WannaCryptor virus encrypted data on employees' computers and extorted a large amount of money for them to continue their work. This is a clear example of the fact that no one is immune from extortionists. Nevertheless, we can fight this threat - we will show several ways that Microsoft offers.

What do we know about extortionists? It seems to be criminals who demand money or things from you under the threat of adverse consequences. In business, this happens from time to time, everyone roughly represents how to act in such situations. But what if the virus-extortionist has settled on your working computers, blocks access to your data and requires you to transfer money to certain persons in exchange for the unlock code? You need to contact information security specialists. And it's best to do this in advance to prevent problems.

The number of cybercrimes in recent years has grown by an order of magnitude. According to the SentinelOne study, half of the companies in the largest European countries were attacked by extortion viruses, with more than 80% of them being victims three or more times. A similar picture is observed all over the world. Information security company Clearswift names a kind of "top" countries, most affected by ransomware - extortion programs: the USA, Russia, Germany, Japan, Britain and Italy. Small and medium businesses are of particular interest because they have more money and more sensitive data than private individuals, and there are no powerful security services like those of large companies.

What to do and, most importantly, how to prevent the attack of extortionists? To begin with, we will assess the threat itself. Attack can be conducted in several ways. One of the most common is email. Criminals are actively using methods of social engineering, the effectiveness of which has not diminished since the time of the famous hacker of the twentieth century, Kevin Mitnick. They can call the employee of the company-victim on behalf of the real counterparty and after the conversation send a letter with an attachment containing a malicious file. The employee, of course, will open it, because he just spoke with the sender by phone. Or the accountant can receive a letter allegedly from the bailiff service or from the bank in which his company is served. No one is insured, and even the Ministry of Internal Affairs is suffering for the first time: a few months ago, hackers sent a fake account from Rostelecom with a cryptographic virus that had blocked the work of the accounting system to the accounting department of the Kazan Line Directorate of the Ministry of Internal Affairs.

The source of infection can be a phishing site, to which the user came by a deceptive link, and "accidentally forgotten" by someone from the office flash drive. Increasingly, infection occurs through unprotected mobile devices of employees from whom they access corporate resources. And the antivirus may not work: hundreds of malicious programs that bypass antiviruses are known, not to mention the "zero-day attacks" that exploit the newly discovered "holes" in the software.

What is a cybermind?

A program known as "extortionist", "encryptor", ransomware blocks the user's access to the operating system and usually encrypts all data on the hard disk. A message appears on the screen indicating that the computer is locked and the owner is obliged to transfer a large amount of money to the attacker if he wants to regain control over the data. Most often the screen turns on the countdown for 2-3 days, so that the user hurries, otherwise the contents of the disk will be destroyed. Depending on the appetites of criminals and the size of the company, redemption amounts in Russia range from several tens to several hundred thousand rubles.

These malware are known for many years, but in the last two or three years they are experiencing a real flowering. Why? First, because people pay criminals. According to Kaspersky Lab, 15% of Russian companies attacked in this way prefer to pay ransom, and 2/3 of the companies in the world that underwent such an attack lost their corporate data in full or in part.

Second, the toolkit of cybercriminals has become more sophisticated and accessible. And thirdly, the victim's independent attempts to "choose a password" do not end well, and the police rarely find criminals, especially during the countdown.

By the way. Not all hackers spend their time telling the password to the victim who transferred the required amount to them.

What is the problem of business?

The main problem in the field of information security for small and medium-sized businesses in Russia is that they do not have the money for powerful specialized security equipment, and more than enough IT systems and employees with whom all sorts of incidents can occur. To combat ransomware it is not enough to have only configured firewall, antivirus and security policies. You need to use all available tools, primarily provided by the operating system vendor, because it is inexpensive (or included in the cost of the OS) and is 100% compatible with its own software.

The vast majority of client computers and a large number of servers are running Microsoft Windows. Everyone knows built-in security features, such as Windows Defender and Windows Firewall, which, together with fresh OS updates and user rights restrictions, provide a level of security that is quite adequate for an average employee in the absence of specialized tools.

But the peculiarity of the relationship between business and cybercriminals lies in the fact that the former often do not know that they are attacked by the latter. They believe themselves to be protected, but in fact the malware has already penetrated the perimeter of the network and is quietly doing its job - after all, not all of them behave as brazenly as the Trojans-extortionists.

Microsoft has changed its approach to security: now it has expanded the line of IB products, and it also emphasizes not only to protect companies from modern attacks as much as possible, but also to enable them to investigate them if the infection does occur.

Mail protection

The mail system as the main channel for the penetration of threats into the corporate network must be protected additionally. To this end, Microsoft has developed an Exchange Advanced Security Protection (ATP) system, which analyzes email attachments or Internet links and responds promptly to detected attacks. This is a separate product, it integrates into Microsoft Exchange and does not require deployment on each client machine.

The Exchange ATP system is able to detect even "zero-day attacks" because it starts all attachments in a special "sandbox" without releasing them to the operating system and analyzes their behavior. If it does not contain any signs of attack, then the attachment is considered safe and the user can open it. A potentially malicious file is quarantined and notified to the administrator.

As for the links in the letters, they are also checked. Exchange ATP replaces all references to intermediate links. The user clicks on the link in the letter, gets on the intermediate link, and at this point the system checks the address for security. The check takes place so quickly that the user does not notice the delay. If the link leads to an infected site or file, the transition to it is prohibited.

Why does the check occur at the time of the click, and not when the message is received - because then there is more time for research and, therefore, less computing power is required? This is done specifically to protect against the trick of intruders with the substitution of content by reference. A typical example: a letter to the mailbox comes at night, the system checks and detects nothing, and by the morning on the site this link already hosts, for example, a file with a trojan that the user safely downloads.

And the third part of the Exchange ATP service is the built-in reporting system. It allows for the investigation of incidents and provides data for answering questions: when the infection occurred, how and where it happened. This allows you to find the source, determine the damage and understand what it was: an accidental hit or a targeted, targeted attack against this company.

This system is useful for prevention. For example, an administrator can raise statistics on how many referrals were made on links marked as dangerous, and who of the users did it. Even if there was no infection, it is still necessary to conduct explanatory work with these employees.

True, there are categories of employees who are forced to attend official duties by visiting a wide variety of websites - for example, marketers who are researching the market. For them, Microsoft technologies allow you to configure the policy so that any downloaded files before being saved on the computer will be scanned in the sandbox. And the rules are set in a few clicks.

Protection of credentials

One of the purposes of attacks of malefactors is user credentials. Technologies of identity thefts of logins and passwords are quite a lot, and they must be resisted by strong protection. Hopes for the employees themselves are few: they come up with simple passwords, apply one password to access all the resources and write them on a sticker that is glued to the monitor. With this, you can fight with administrative measures and setting programmatic requirements for passwords, but there will still be no guaranteed effect.

If the company takes care of security, it differentiates the access rights, and, for example, an engineer or sales manager can not go to the accounting server. But the hackers have another trick: they can send a letter from the captured account of an ordinary employee to a target specialist who owns the necessary information (financial data or commercial secret). Having received the letter from the "colleague", the addressee will open it 100% and launch the attachment. And the encryption program will have access to valuable data for the company, for the return of which the company can pay a lot of money.

To ensure that the captured account does not allow attackers to enter the corporate system, Microsoft offers to protect it through multifactor authentication Azure Multifactor Authentication. That is, you need to enter not only the login / password pair, but also the PIN sent in the SMS, the Push notification generated by the mobile application, or answer the robot on the phone call. Especially useful is multifactor authentication when working with remote employees, who can log into the corporate system from different parts of the world.

For larger companies, Microsoft has developed an advanced server system for analyzing events occurring in the local domain - Advanced Threat Analytics. This analytical service monitors the behavior of users and signals if anomalous events are detected: when entering from an unusual place (another country), with numerous incorrect password sets, when other departments enter the server, etc.

Whitelists

New cyber attacks require new security solutions, and such are in the operating system Windows 10 Enterprise. One such solution is the launch of only trusted software on client computers. This approach has been successfully implemented on mobile platforms, where all applications are tested and digitally signed, on the basis of which the device allows its launch. In Windows, this function is implemented using the Device Guard security mechanism.

Device Guard is a hardware and software solution that allows only a trusted application to run on a Windows PC with Windows 10. They must be signed by Microsoft. If the user tries to install the application outside the list (whether it deliberately does it or not), the startup will be denied even if it runs under local administrator rights, since the application list is signed by a server certificate with higher privileges.

And how to defend against the execution of malicious Java and other scripts, if the corporate self-written applications are dependent on them? In this case, Microsoft recommends using the Device Guard bundle with Applocker and prohibiting the launch of all scripts except those specified by Applocker on a specific path.

These tools provide a high level of protection and work at the hardware and software level. That is, no extortionist will register on the user's computer.

The introduction of these lists will not add to the headaches for the company's administrators, because they do not need to be prescribed for each workstation. The system allows you to create several list templates and configure policies in which you will be registered, which groups of users correspond to a particular "white list".

Global Protection

Above we talked about protecting mail using Exchange Advanced Threat Protection, but a similar solution exists at the level of the operating system. This service is Windows Defender Advanced Threat Protection (WD ATP), whose sensors are built in Windows 10. By default, the sensors are turned off, they can be easily activated by the script with the help of group policies. And once the WD ATP is active, it logs all events that occur on each PC: each created file, process, registry key and established connections between events. This data is analyzed in the Azure service, which allows creating a template for normal behavior for each individual workstation, and in case of deviations from this normal behavior (the appearance of malicious activity on the device), WD ATP sends a notification to its console and mail to the administrator. The results of analysis and monitoring are displayed by a single reporting screen on the Windows Security Center portal, and is intended primarily for security professionals.

This is a fairly powerful service that actually performs the functions of the SIEM system (and compatible with third-party SIEMs). It analyzes data coming from a large number of endpoints with Windows, Office and EMS, which allows using a single threat base, and detect attacks earlier than they get to the antivirus vendor databases. Perhaps no other company can compare with Microsoft in the ability to collect analytical data from computers and servers around the world. Every day, millions of copies of Windows, Office, and other Microsoft applications send information about the security status.

Windows ATR timely detects attacks, conducts an in-depth analysis of files and quickly determines the level of threats in the region and the extent of infection. This is a cloud system, it does not require a separate installation and complex configuration, which is very convenient and economical for companies. In the latest images of Windows 10 Enterprise (E5) there are built-in sensors that detect malicious behavior, and the administrator gets access to them when connecting to the Windows ATP service.

It's interesting that by releasing such advanced protection tools, Microsoft does not position itself as a participant in the information security market. Nevertheless, the mere fact that the company has taken care of protecting information resources of customers at such a high level indicates that it really is: one antivirus for protection is not enough.