A host of Microsoft security updates released as part of the latest Windows 10 (version 1803) significantly reduce vulnerabilities, security professionals say, with the five new attack surface reduction rules making it much harder for attacks like Petya and other lateral movement offensives to take place on a network.
The “really important” updates have so far gone largely overlooked.
The rules block executable files from running unless they meet a prevalence, age, or trusted list criteria; use advanced protection against ransomware; block credential stealing from the Windows local security authority subsystem (lsass.exe); block process creations originating from PSExec and WMI commands and block unverified, unsigned processes that run from USB.
The update’s ability to block credential stealing from LSASS particularly stands out.
“Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS,” Microsoft said.
“However, some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority. In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS”, Microsoft said.
Etienne Greef, CTO of SecureData, told Computer Business Review: “Frankly these should have happened ages ago; they’re obvious patches to make, but with desktops becoming a much bigger target – as well as features, Microsoft has finally done something. If properly used this will block attacks like Petya and other lateral movement attacks, as well as stopping very common DDE exploits that are used in the wild.”
He added: “It might make Red Team life a little harder – I’m almost a bit disappointed! – but it’s good they’ve finally done it…”
One of the other main changes highlighted by information security professionals is a rule that allows admins to prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards.
No More “Cottonmouth” Ripoffs?
It comes as many security professionals drew lessons from Edward Snowden’s leak of the NSA’s “Ant Catalogue”; a 50-page classified document listing technology available to the agency’s Advanced Network Technology (ANT) Division to aid in cyber surveillance.
This included tools like “Cottonmouth-I”, a USB hardware implant that provides a wireless bridge into a target network, via a “covert channel”; something more than a few hackers rapidly emulated.
Chris Wallis, founder of penetration testing specialists Intruder, told Computer Business Review: “Microsoft are definitely raising the bar with this update, and taking away some firm favourites from the attacker’s bag of tricks. While some of the rules may inconvenience in edge cases, most companies will be able to apply them without much fuss, and genuinely level up their cyber security. Attackers will find new ways around, as always, but it’s definitely one small step closer to Bill Gates’ vision of Trustworthy Computing.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.