Dissecting Windows 10 Security -- Redmondmag.com

Dissecting Windows 10 Security

New features such as the Antimalware Scan Interface, Virtualization-Based Security and threat analytics are making Windows much more difficult to exploit, but hackers and researchers demonstrate it's still not impossible.

By Sean Martin
09/20/2016

Every time Microsoft has released a new version of Windows over the past two decades, the company has raised the bar with improved security and each upgrade immediately becomes a target of hackers and cybercriminals looking to find new holes in the OS. Last year's Windows 10 release and the Anniversary Update release pushed out by Microsoft two months ago are no exception.

Microsoft has added some significant new security features to the Windows 10 Anniversary Update, code-named "Redstone," that experts and longtime critics admit are quite impressive. Overall, IT organizations will welcome these new security features, experts say. Given the Anniversary Update is the enterprise equivalent of a first service pack for Windows 10, though arguably with more features than typical service packs, enterprises are looking to roll out new systems or upgrade to the new OS in the coming year, according to a number of surveys, because most enterprises passed on Windows 8/8.1 and Windows 7 was released seven years ago. While organizations' PCs with Windows 10 will be more secure than systems with earlier versions, the OS still isn't impenetrable.

Key Security Enhancements
Security experts and analysts say the two most noteworthy security features in a laundry list of new capabilities are the new Antimalware Scan Interface (AMSI) APIs and a list of upgraded Virtualization-Based Security (VBS) features introduced in the OS last year. Still, also worth noting are the improved support for extended multi-factor authentication via the new Windows Hello biometric log-in capability, and the addition of Advanced Threat Protection (ATP) and Windows Information Protection to Windows Defender, which provides extended BitLocker encryption that reduces the risk of data leakage.

Just a week before Microsoft pushed out the update, researchers and the hacker community dissected the Windows 10 Anniversary Update at the annual Black Hat USA conference in Las Vegas. Multiple sessions were devoted to breaking down the latest version of Windows, both by Microsoft officials, security researchers and, of course, the hacker community.

IT professionals will come to their own conclusions about whether some of these new features provide breakthrough improvements in security or whether they're simply incremental updates.

Vulnerabilities Exposed by Black Hats
Despite Redmond's emphasis on addressing real-world vulnerabilities, less than two months following the release of the Anniversary Update, the number of exploits discovered in Windows 10 remains high. Some reports were not entirely accurate, critics note, such as problems related to the Secure Boot mode with so-called "golden keys" discovered in August. But it's clear many organizations remain exposed to zero-day threats, ransomware and other vulnerabilities. Granted, the rollout of Windows 10 among enterprises, no less the Anniversary Update, is still in its early stages.

It should be noted that the demos were showcased at the Black Hat Conference a week before the actual code was pushed out and Microsoft routinely roles out patches. Likewise, these are not easy targets by any stretch, experts say.

Exploiting AMSI Script Protection
Of the new security features, AMSI is arguably the most interesting of the new features in Windows: It's a set of APIs that can be deployed in Microsoft's own Windows Defender antimalware software to protect against script-based attacks by scanning files and other data in memory. The APIs also perform reputation tests of URLs and IT addresses. In addition to running them in Windows Defender, Microsoft is making the AMSI APIs available to third-party endpoint security software providers and to other applications. As of this writing, only AVG is offering it in its antimalware offering, others say they're still evaluating it and some don't want to comment at all (see a report on third-party AMSI support).

Nikhil Mittal, a self-proclaimed hacker, trainer and penetration tester, demonstrated some weaknesses in AMSI in a session at the Black Hat conference. AMSI is designed to intercept potentially malicious scripts in memory, as well as allow other applications designed to register and process content via the AMSI framework. The intent behind AMSI is to catch scripted threats regardless of input method or how well the threat is hidden, eliminating them before they can execute. AMSI tries to catch the scripts at the scripting host level as they're loaded from WMI namespaces, registry keys or event logs. Traditional disk-based detection is unable to catch such scripts as the storage is rather unusual and unable to be analyzed.

"What makes AMSI really special is its visibility into the system it's protecting," says Brad Bussie, CISSP, director of Product Management at STEALTHbits Technologies Inc., a supplier of security software. "Being able to look at WMI namespaces, registry keys and event logs -- all untraditional places that scripts can potentially run from -- gives AMSI insight into attacks that would otherwise go undetected."

Mittal demonstrated ways attackers could get around AMSI. Mittal organized his demonstrations of AMSI bypasses using Windows PowerShell as the source of the attack.

"PowerShell is the hottest threat vector area from a malicious shell perspective," Mittal explained. "It has a low rate of detection, the payloads are very effective, and Windows comes pre-loaded with PowerShell. The tool is also used by sys admins, which means activities performed using this tool could easily stay off the radar as it mixes with normal traffic."

Mitall presented the following AMSI exploit methods:

Unusual Shell Execution
- Run without powershell.exe
- Utilize reflection (within the memory space of another process)
- Apply application whitelisting bypass (install and so on)
Signature Bypass (This method is known as obfuscation, or the ability to render the script unclear or unintelligible to AMSI)
- Remove the help section
- Obfuscate the function and variable names (change names to numbers, for example)
- Use simple obfuscation tools that work
- Encode parts of the script
- Deliver the payload

"This method is fast and very effective at the time of this presentation," Mitall explained. AMSI flaws extend beyond the ability to bypass the system. AMSI can also be exploited by attackers that have elevated permissions to the Windows machine running AMSI. Mitall presented two options, referencing two separate researchers:

Matt Graeber (@mattifestation) -- a one-line command; no admin privilege is necessary (client-side attacks are possible); also bypasses automatic logging
Cornelis de Plaa (@Cneelis) -- moves powershell.exe to where the AMSI.dll is and executes it from there; loads a fake DLL (AMSI doesn't execute)

"With the necessary credentials in use and with one simple command, AMSI can be set from enabled to disabled without a single notification sent to a user or administrator," Bussie notes.

"Does this mean doom and gloom for the Red Team?" Mittal asked during his presentation, referring to Microsoft's internal teams that employ offense-based models to detect vulnerabilities (see "Microsoft's Security Posture: The Best Defense Is a Strong Offense"). Mittal cited the following steps:

Use PowerShell v2 (which requires the Microsoft .NET Framework 3.0 and does not come with Windows 10)
Significantly change the signature of your scripts, which is relatively easy to do
Disable AMSI
Backward compatibility is a huge deal for Microsoft -- you still see the .NET Framework 3.0 on Windows 10

As with most security systems, when automated detection and response processes aren't available (or possible) directly at the endpoint, some event correlation system -- and possibly even human intervention -- is necessary.

"Keep in mind, most of the attacks discussed do generate event logs," says Bussie. "This brings up a very important point about monitoring event logs when leveraging a service like AMSI. Administrators will want to make sure they log and alert on PowerShell events and look for signs of an attacker attempting to bypass logging. Remember, AMSI is only effective when paired with other security measures and should not be relied upon as a standalone component."

Microsoft's Security Posture: The Best Defense Is a Strong Offense

Microsoft has discovered value in Pwn2Own competitions held for nearly a decade at the annual CanSecWest security conferences -- namely for the vulnerabilities found by hackers in its Internet Explorer browser, which was replaced with the new Edge browser in Windows 10. The company has found them of so much value that company officials wish they could run an exploit competition all year long. Now, Microsoft effectively does run them on an ongoing basis via its Bounty Program.

Still, Microsoft didn't want to wait for the potential exploits to be uncovered through in-the-wild means. The company's security researchers also wanted to find the vulnerabilities themselves (without delay) to limit the exposure of those vulnerabilities. Plus, Microsoft wanted the OS to be developed in a way that made it more difficult to exploit, and not just be free from exploitable code.

With those lofty goals in place, the Offensive Security Research (OSR) and Microsoft Security Response Center (MSRC) teams have developed a new plan. Microsoft worked with Adobe Systems Inc. to leverage some of Adobe's successful secure code development strategies, creating a three-part plan revolving around data-driven software defense:

Analyze: comprehensive set of real-world data to identify opportunities for tactical attack disruption and future strategic hardening.
Build: security engineers build the fences; they explore mitigation concepts with the product owners and prototype/productive mitigation design.
Evaluate: Windows OSR team evaluates mitigations and attempts to bypass so flaws can be addressed.

Through this plan, which David Weston, principal security engineering manager at Microsoft and a leader on the company's OSR team, described the focus as "augmenting preventative security." Weston explained during a session at the annual Black Hat USA conference in Las Vegas in late July how both teams analyzed two years of previous in-the-wild OS exploits and documented every aspect of the attacks. These teams also analyzed three years of Internet Explorer attacks -- focusing on the four zero-day attacks in a row that forced enterprises and government entities to withdraw their recommendations for use of the Windows native browser.

The two teams collaborated and analyzed the exploits, ultimately developing what could be shipped as patches aimed squarely at disrupting hacker attempts to find bugs in the browser. The results were impressive: The average lifespan of in-the-wild zero-day attacks was reduced from 135 days to 45 days.

"Attackers are experts at identifying gaps in the SDLC strategy," said Weston, explaining that 135 days of vulnerability availability is always better for a hacker than 45 days.

Microsoft also employed a Red Team "offensive security" model with the goal of modeling real-world attacks and techniques such as spear phishing campaigns, watering holes and exploit kits to proactively discover new threats. The team internalized its findings and used them to focus its efforts, feeding the Microsoft Blue Team with data to help drive that team's in-the-wild detection capabilities.

"Organizations must simulate real-world incident response scenarios before one actually occurs," said Weston. "Get your process, owners and messaging all sorted out."

Leveraging their success with their in-the-wild tear-downs and supporting the Red Team and Blue Team efforts, the teams began to find ways to eliminate the opportunity for gaps to be identified by any bad actor. To move things rapidly forward, the teams embraced a four-tactic strategy, investing heavily to make it difficult and costly to find, exploit and leverage software vulnerabilities through a layered, data-driven software defense.

Tactic 1: Eliminate entire classes of vulnerabilities

Objective a: get rid of hand-to-hand combat
Objective b: increase the attackers cost to find the vulnerabilities
Result: attack surface cleaned up -- tons of code removed in the Edge browser

Tactic 2: Break exploitation techniques

Objective a: get rid of the things on which attackers rely
Objective b: break their existing techniques and exploits
Result: create many more steps attackers need to perform to develop reliable attacks

Tactic 3: Contain damage and prevent persistence

Objective a: look for ways to identify, isolate and contain damage if a vulnerability is exploited
Objective b: increase the cost for an attacker to effectively leverage an exploit
Result: strong sandboxing and isolation for applications running on Windows

Tactic 4: Limit the window of opportunity to exploit

Objective a: limit the scope and window of opportunity for a successful exploit
Objective b: minimize an attacker's return on investment
Result: response mechanisms quickly developed, applied and deployed

"There are armies of developers -- so this needs to scale," said Weston, speaking of the large numbers of Microsoft engineers building the OSes and supporting applications. "Developers need to be able to write code, test code and check in code -- it needs to be simple to put [these tactics] into the process."

Brad Bussie, CISSP, director of Product Management at STEALTHbits Technologies Inc., says it's a smart approach. "Analyzing the operating system in the wild is a great way to glean the types of attacks that Microsoft will continue to face," Bussie says. "The use of the Red Team to simulate real-world attacks and look for vulnerabilities in the operating system helps to add another layer of security to Windows. By employing real-time preventative patching and building the operating system with security in mind from the start, mitigation techniques will continue to improve and vastly strengthen the integrity of Windows."

Cutting Through Virtualization-Based Security
AMSI is among the newest approaches by Microsoft to make Windows more secure. Another approache, introduced with last year's release of Windows 10, is VBS. VBS uses processor virtualization extensions to create a hardware-based security boundary between the sensitive Windows components and data and the rest of the OS. Built on and taking advantage of security capabilities found in Hyper-V -- such as Hypervisor Code Integrity (HVCI) and Local Security Authority (LSA) -- VBS in the Windows 10 Anniversary Update can create secure execution environments for sensitive Windows functions and data by isolating core OS services, thereby keeping user mode and kernel mode processes separate from each other.

In Windows 10, the Credential Guard feature leverages VBS to protect the domain credentials, users' credentials and the underlying Windows authentication subsystem. It does this by isolating a portion of the LSA service, thereby mitigating security risks associated with pass-the-hash and pass-the-ticket attacks. Rafal Wojtczuk, a security researcher at Bromium, demonstrated at Black Hat how Mimikatz -- a tool that allows bad actors to extract cleartext passwords and password hashes from memory -- would fail to execute on a system protected with Credential Guard. However, as Wojtczuk pointed out during his presentation, "even in the most hardened configuration, once an attacker has system privileges, they can silently authenticate as a logged-in user to remote servers from the compromised machine until reboot."

In this case, VBS utilizes Hypervisor Code Integrity (HVCI) to keep unauthorized apps from running in both user and kernel mode while also combatting successful exploitation of vulnerabilities. This is a significant improvement, given, as Wojtczuk points out the obvious, "attackers love arbitrary code running in ring0," which isn't possible with Kernel HVCI, according to Wojtczuk. Still, Device Guard and HVCI are not without flaws. Wojtczuk found that before the MS16-066 patch for Windows 10, bad actors could locate some pages with read/write/execute (RWX) permissions in ring0, giving them the ability to bypass HVCI.

"Device Guard is device-feature-dependent," says Bromium Founder and CTO Simon Crosby. "In particular, VBS requires Windows 10 Secure Boot, which is supported on all new PCs, but is not possible on older, BIOS-booted Windows endpoints that are upgraded to Windows 10. As a result, organizations will be unlikely to achieve enterprise-wide adoption of VBS in the near term."

Prominent information security strategist and professor Demetrios Lazarikos believes there's work to be done. "Given some of the recent ‘safe' boot compromise claims hitting media sites, I would also be concerned about the integrity of the data if the data were somehow manipulated or compromised prior to boot," says Lazarikos, who is currently chief information security officer at vArmour, a datacenter and cloud security provider.

Windows Defender ATP Service
There's no question that the Windows Defender ATP Service represents a step forward in bringing Windows Defender implementation and management into the enterprise. With its updated release in Windows 10, the service is now enabled by default.

However, "malware, rootkits and zero-day vulnerabilities still represent a significant challenge to any anti-virus or antimalware technology," says Bussie, adding that some protection is still better than no protection at all. But, "until perimeter firewalling, east-west firewalling and software firewalling are tied in with deep packet inspection, anti-virus will continue to be too late for targeted attacks."

Deepak Patel, director of Security Strategy for Web application firewall provider Imperva, argues that Windows Defender, or any other anti-virus software for that matter, will be unable to keep up with the constantly morphing malware. "There is enough evidence -- from reports like the Verizon Data Breach Investigations Report -- that shows most malware is only seen once in the wild," Patel says. "Also, it takes minimal effort to create new strains of malware with just enough variance to bypass [anti-virus] detection. This means threat intelligence and signature-based approaches to malware detection and containment can only stop known malware."

Because ATP is a cloud-based service, there are some questions surrounding how the protections would work (or not) when an ATP-protected system is offline.

"How will this service function when machines aren't connected?" Lazarikos asks. "Would it be possible to install or embed something that would ‘come alive' once it detected that the system wasn't connected, leaving it to operate in a vulnerable state?"

Again, some of the challenges with newer capabilities are that they aren't always backward-compatible, even if Microsoft does everything in its power to meet this challenge.

"I wish Microsoft had offered this as an enterprise offering for all Windows endpoints," says Crosby. "However, ATP is Windows 10-specific and requires that the customer is on an enterprise license under Software Assurance."

Windows Hello
Windows Hello is Microsoft's approach to implementing multi-factor authentication as a replacement to passwords. Introduced last year with Windows 10, the core idea is that users can leverage facial recognition or fingerprint readers to log into their compatible Windows 10 device.

"Several of these pieces require specific hardware (cameras, chipsets), which will exist in newer systems, but not many legacy systems," says Eldon Sprickerhoff, founder and chief security strategist at eSentire Inc., a supplier of incident detection and response systems. "Unless the user experience is uniformly positive, it's not going to get significant traction."

Windows Hello isn't a Microsoft-only option. "What happens if and when other vendors create their own solutions?" asked Lazarikos. "Remember when Lenovo and Dell created their own biometrics systems -- which one would you choose if there were more than one option available?"

The challenges of adoption aren't limited to Windows machines, as clearly pointed out by Bromium's Crosby: "Windows Hello is a fantastic capability for local access to a device, but doesn't banish usernames and passwords altogether because users of Web services will still need to log in to those services in site-specific ways."

Perhaps the default choice is made for the enterprise, leaving the integration of these security systems up to the InfoSec practitioners to deal with. To help keep the UX and management consistent, Microsoft has made the authentication framework extensible, as can be found with Intel's Hello-enabled Authenticate Technology and emphasized by its involvement and support for the Fast IDentity Online (FIDO) Alliance. The Windows 10 Anniversary Update supports the new FIDO 2.0 spec, which Microsoft says sets the stage for Windows Hello to support industry standards and work across platforms and within heterogeneous environments, which the company says is "central to our strategy for Windows Hello."

The update to Windows Hello with the Windows 10 Anniversary Update also allows for per-application authorization based on facial or fingerprint recognition. This is great for defining fine-grained policies, but could also introduce additional challenges.

"The per-application approach is a great feature for those who are concerned that a user accessing applications might not actually be the same user that unlocked the workstation," adds Bussie. "However, systems are inherently flawed by believing that the logged-in user really is the user behind the keyboard. While this is a better approach to solving the problem beyond relying on easy-to-guess or -crack passwords, the OS is still potentially vulnerable to being fooled."

Windows Information Protection
Windows Information Protection is one part data at rest (Enterprise BitLocker) and three parts Data Protection (leak protection, sharing protection and data separation). The idea of building data loss prevention capabilities directly into the OS should prove great for system performance, widespread adoption and integration into core Windows applications.

While BitLocker should be essential in enterprise builds, it should be noted that a certain level of training is also needed for the users. David Kennefick, solutions architect at Dublin-based managed security services provider Edgescan, offers this useful tip: "If a user is told to shut down their machine when it's not in use or they don't have it on their person, this can severely hamper an attack attempt. If a user has just set their machine to sleep as opposed to shut-down, there is a potential for compromise if an attacker is able to access the memory of the machine while it sits in this state."

It may be a small window of vulnerability, but one that should be taken seriously as the encryption keys are stored in memory for use when the machine "wakes up." "It is also useful for organizations to know the state of a laptop if it has been lost or stolen," Kennefick adds. "If the laptop was shut down, it is less likely to be exploited compared to a laptop that has just been put in sleep mode."

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.