In my travels
abroad over the years, I have had the great opportunity to meet with
many enterprise customers to discuss the evolving threat landscape. In
addition to helping inform customers, these meetings have provided me
with an opportunity to learn more about how customers are managing risk
within their environments. Many of these customers are interested in
learning about the top threats found in enterprise environments.
Visibility into what threats are most common in enterprise environments
helps organizations assess their current security posture and better
prioritize their security investments. Given the high level of interest
in this information, I thought it would be helpful to take a close look
at the top 10 threats facing enterprise customers based on new
intelligence from the latest
Microsoft Security Intelligence Report (SIRv15).
The latest report found that in the enterprise environment, on
average about 11% of systems encountered malware, worldwide between the
third quarter of 2012 (3Q12) and the second quarter of 2013 (2Q13). The
“encounter rate” is defined as the percentage of computers running
Microsoft real-time security software that report detecting malware -
typically resulting in a blocked installation of malware. This is
different from the number of systems that actually get infected with
malware, a measure called computers cleaned per mille (
CCM).
Figure 1 (left): The
malware encounter rates for consumer and enterprise computers,
3Q12-2Q13. Figure 2 (right): The quarterly trends for the top 10
families detected by Microsoft enterprise security products, 3Q12-2Q13,
by percentage of computers encountering each family in 2Q13.
When we look at the top 10 enterprise threats worldwide from the list
above, it gives us insight into the most common ways in which
enterprise organizations are coming into contact with malware today.
Based on this list, there are three primary methods in which enterprises
are encountering malware:
- Via malicious or compromised websites
- Worms that spread through network drives, Autorun feature abuse, and/or weak passwords
- Social engineering that tricks the user into installing malware on their system
Malicious or Compromised WebsitesBy
the end of 2012, web-based attacks had surpassed traditional network
worms to become the top threats facing enterprises. The latest Security
Intelligence Report shows this trend is continuing in the first half of
2013.
Figure 3: The quarterly
trends for the top 10 families detected by Microsoft enterprise security
products, between the third quarter of 2012 and the second quarter of
2013, by percentage of computers encountering each family
In fact, in 2Q13 six out of the top ten threats facing enterprises
were associated with malicious or compromised websites. These threats
include
JS/Seedabutor,
HTML/IframeRef,
Win32/Sirefef,
JS/BlacoleRef,
Java/CVE-2012-1723 and
Blacole.
Computer users in organizations typically come into contact with these
types of malicious or compromised websites unexpectedly when browsing
the web while using their organization’s systems.
For example, in the case of HTML/IframeRef, attackers have built
automated systems that probe websites to identify and infect vulnerable
web servers. Once compromised, an infected server can then host a
small, seemingly benign, piece of code that is used as a redirector.
However, this code is part of a chain, and when victims visit the
website, the redirector can serve malicious pages from another malicious
server to infect the victim with malware. You can read about the
mechanics of this type of attack in a series of articles I wrote
previously:
What You Should Know About Drive-By Download Attacks - Part 1
What You Should Know About Drive-By Download Attacks – Part 2
Once a system is compromised with malware, it not only disrupts the
infected machine but also has the potential to cause harm to the systems
it interacts with. The infected system may be used to spread malware
both inside and outside the organization, and steal information such as
intellectual property.
Network Drives, Autorun, Weak PasswordsWhile
web-based attacks have become the most common threats facing
enterprises, worms cannot be ignored. In 2Q13 three out of the top ten
threats facing enterprises were associated with worms (
Win32/Conficker,
INF/Autorun,
Win32/Dorkbot). Worms are commonly spread through network drives, abusing the Autorun feature or exploiting weak passwords.
For example, the Conficker worm is commonly spread by exploiting weak
passwords. The worm uses a built-in list of common or weak passwords
to attempt to compromise other computers in addition to stealing the
credentials of any user that logs into the infected system. Passwords
such as “admin,” “admin123,” “administrator,” “default,” “test,” “12345”
and even “security” are part of Conficker’s list of passwords. Once
Conficker compromises a systems it can steal the credentials of an IT
administrator to spread on the internal network. Here’s how Conficker
spreads using this technique:
- A system becomes compromised
- The user suspects a problem and reports the issue to the administrator for help
- The administrator logs onto the infected machine with the network admin password to troubleshoot the problem
- Conficker steals the Admin
credentials, and immediately uses it to log onto every other machine in
the network and compromise those machines
Social EngineeringThe
third most common way in which enterprise organizations are
encountering malware, based on the latest threat intelligence, is
through social engineering;
Win32/Obfuscator
is an example of this. Cybercriminals will try to hide the malware
using deceitful tactics to trick you into installing it. There are a
number of ways this may occur.
For example, a compromised system may be used by attackers to send
out erroneous emails, friend requests or instant messages which contain
links to malicious sites or malware. Another common way in which
attackers try to trick people into installing malware is by bundling it
with popular software, movies or music that can be downloaded online.
We talked about this method in detail when we released the
Microsoft Security Intelligence Report Volume 13.
The good news is that there are effective mitigations and best practices that can be used to help to protect enterprises:
- Keep all software up-to-date:
Attackers will try to use vulnerabilities in all sorts of software from
different vendors, so it is important for organizations to keep all of
the software in their environment up to date and run the latest versions
whenever possible. This will make it harder for the types of threats
we see in the enterprise today to be successful. This tactic would have
helped to mitigate six out of the top ten threats detected in enterprise
environments in the first half of 2013.
- Demand software that was developed with a security development lifecycle:
Until you get a software update from the affected vendor, test it, and
deploy it, it’s important that you manage the risk that attackers will
attempt to compromise your environment using these vulnerabilities. A
very effective way for software vendors to help you do this is by using
security mitigations built into the platform, such as ASLR, DEP, SEHOP
and others. These mitigations can make it much harder for attackers to
successfully exploit vulnerabilities. Demand software from your vendors
that use these mitigations. You can check if the software you have in
your environment have these mitigations turned on, using a tools like Binscope or EMET. In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET
might be able to turn them on for you. These mitigations can help you
manage risk by giving you more time to test and deploy security updates
or new versions of software. An easy way to ask your vendors if they use
a security development lifecycle is to ask them if they meet the
guidance in an international standard called ISO 27034.
- Restrict websites:
Limit web sites that your organization’s users can visit. This likely
won’t be popular in the office, but given the majority of threats found
in the enterprise are delivered through malicious websites, you might
have the data needed to make a business case. Also, restricting web
access from servers has been a best practice for a long time.
• Manage
security of your websites: Many organizations don’t realize that their
websites could be hosting the malicious content that is being used in
these attacks. Organizations should regularly assess their own web
content to avoid a compromise that could affect their customers and
their reputation.
- Leverage network security technologies: technologies like Network Access Protection
(NAP), Intrusion Prevention System (IPS), and content filtering can
provide an additional layer of defense by providing a mechanism for
automatically bringing network clients into compliance (a process known
as remediation) and then dynamically increasing its level of network
access.
Of course, there is plenty of other
data and guidance in the latest Microsoft Security Intelligence Report;
it is designed to provide prescriptive guidance which can help our
customers manage risk and protect their assets. If you are responsible
for managing risk for your organization, then I encourage you to
download it today at www.microsoft.com/sir to learn about the latest threat trends.
Tim Rains
Director
Trustworthy Computing
A Snowden leak accompanying today's story on the NSA's Tailored Access Operations group (TAO) details the NSA's toolbox of exploits, developed by an NSA group called ANT (Advanced or Access Network Technology).
Microsoft appears to be readying some significant changes to its next version of Windows. 
