New Microsoft tools aim to protect expanding attack surface
New security concerns have arisen around initial attack vectors and visibility into a broader attack surface as companies have moved to the cloud, according to Microsoft.
Microsoft launched two new Defender tools Thursday in response to a growing attack surface with increasingly advanced threat actors.
The cloud-driven services, Microsoft Defender External Attack Surface Management (EASM) and Microsoft Defender Threat Intelligence (TI), are intended to help security teams better understand threats from both internal and external standpoints, including identifying vulnerabilities and entry points to an environment. Like other Microsoft Defender tools, customers can subscribe to the services and access them through online portals.
The offerings, which can be used to protect on-premises and cloud infrastructures, were built with RiskIQ technology, a security intelligence vendor Microsoft acquired one year ago.
With that technology, the new tools aim to assist companies with common mistakes such as unknown exposed ports, which are often used as an initial attack vector.
Rob Lefferts, corporate vice president for Microsoft 365 Security, said open ports are a big problem for organizations. Many times, enterprises are unaware that risks such as those are even present in their infrastructures.
"For customers I talk to, it's surprising how often they are surprised," Lefferts said. "It's important to get on top of that, but the fact of the matter is, it's companies that have been around for decades and their infrastructure is built up. It's easy for someone to make a new mistake."
One goal of EASM is to allow security teams to view the infrastructure the same way an attacker would in order to get ahead of them, Lefferts said. Attackers are trying to build graphs, he said, to draw a map through an organization to its crown jewels. They may start trying to connect to a node, or find accounts and credentials. Compromised credentials and a lack of multifactor authentication are ongoing problems for cloud security.
For a broader attack, Lefferts said threat actors may directly target Active Directory, or a CFO's email account.
"As defenders trying to think what will these graphs look like, we tell them where to start," he said.
For example, if a threat actor is going to scan for open ports, companies can do that ahead of time to gain visibility into where those are.
Even without that specific threat, Lefferts said there's a lot of chaos in any big organization. One example he provided was if a marketing team hires a vendor to put up a website and the vendor doesn't use existing company infrastructure.
"They put it somewhere on the internet and all the sudden, there's this thing attached to your company brand and when it gets hacked people will think you got hacked, and no one will understand the difference," he said.
Subsequently, the responsibility would fall on the CISO, so understanding the organization's broad footprint and the resulting expansion of attack surface is important, he said.
In April, Microsoft published a blog that examined the growth of attack surface using RiskIQ data. With more than 100,000 hosts and 613 new domains created each minute, Microsoft said both legitimate organizations and threat actors contribute to that growth. Additionally, the blog noted the move to remote work has created a shift where "sometimes, threat actors know more about an organization's attack surface than their SOC [security operations center] does."
External attack surface management is a newer category in the cybersecurity industry. While there are other products available, Lefferts highlighted how Microsoft leveraged its acquisition of RiskIQ to create tools in this space that focus on external attack surface from a threat actor's point of view, while also giving customers the visibility and control to address any issues.
"The thing we think we're doing to make this more powerful for folks is to give them the ability to look across all the places they have infrastructure, the ability to connect Microsoft Defender and then the ability, if you are using Azure, to self-service your protection and service insights to tell them to turn off the thing that was causing the particular problem," he said.
Access to Microsoft threat intel
Defender TI utilizes threat intelligence on threats such as malicious files, malware, email campaigns and other attacks observed by Microsoft. It includes reports on specific threats and offers ways to address them. There are already about 2,000 reports available, according to Lefferts, with new ones published daily.
The new tool can also serve as a workbench to educate enterprises about how attackers are operating, including what domains and URLs they use. Lefferts said troves of security data are analyzed and curated by researchers and analysts to produce whatever Microsoft thinks will be helpful to specific customers.
"We see a crazy number of signals, 43 trillion signals, but no one wants that to be dumped on top of them. That's where human intelligence of our own research and hunting teams come to bear," he said.
Additionally, he said Microsoft is investing heavily into turning data into insight. These days, much of the focus is on tracking ransomware groups. Part of the tech giant's threat intelligence goal is to help security teams understand the emerging trends, and human-operated ransomware is one that Leffert's observed over the past five years.
"They take ideas from old ransomware, but nowadays it's different," he said. "It's a targeted attack from one of these groups. They scan looking for open RDP [remote desktop protocols] to break in and with a human at the keyboard, they'll exploit your company, move slowly, do reconnaissance. They are copying techniques from more advanced attackers."
According to the Microsoft blog on the expansive attack surface, the use of RDP skyrocketed 41% following the massive move to remote work, making it all that more important to secure.
With Defender TI, Microsoft wants to provide a way for companies to understand the trends, such as which tools ransomware groups use to exploit a specific device, and whether it's a Mac or a PC. The service can also provide insight into, for example, which IP address attackers connect to in the cloud to perform the reconnaissance, Lefferts said.
The cloud has experienced accelerated growth in recent years as more organizations seek to improve productivity and efficiency. However, Lefferts said the growth of cloud services has also expanded attack surfaces as attackers look to take advantage of the cloud's low barrier to entry and ease of use.
"We make it easier for people, and attackers are people," he said. "We're going to think a lot about how we protect the new technologies, and that's a place where the industry as a whole has made a lot of progress."