In-Depth

Dissecting Windows 10 Security

New features such as the Antimalware Scan Interface, Virtualization-Based Security and threat analytics are making Windows much more difficult to exploit, but hackers and researchers demonstrate it's still not impossible.

  • By Sean Martin
  • 09/20/2016

Every time Microsoft has released a new version of Windows over the past two decades, the company has raised the bar with improved security and each upgrade immediately becomes a target of hackers and cybercriminals looking to find new holes in the OS. Last year's Windows 10 release and the Anniversary Update release pushed out by Microsoft two months ago are no exception.

Microsoft has added some significant new security features to the Windows 10 Anniversary Update, code-named "Redstone," that experts and longtime critics admit are quite impressive. Overall, IT organizations will welcome these new security features, experts say. Given the Anniversary Update is the enterprise equivalent of a first service pack for Windows 10, though arguably with more features than typical service packs, enterprises are looking to roll out new systems or upgrade to the new OS in the coming year, according to a number of surveys, because most enterprises passed on Windows 8/8.1 and Windows 7 was released seven years ago. While organizations' PCs with Windows 10 will be more secure than systems with earlier versions, the OS still isn't impenetrable.

Key Security Enhancements
Security experts and analysts say the two most noteworthy security features in a laundry list of new capabilities are the new Antimalware Scan Interface (AMSI) APIs and a list of upgraded Virtualization-Based Security (VBS) features introduced in the OS last year. Still, also worth noting are the improved support for extended multi-factor authentication via the new Windows Hello biometric log-in capability, and the addition of Advanced Threat Protection (ATP) and Windows Information Protection to Windows Defender, which provides extended BitLocker encryption that reduces the risk of data leakage.


Just a week before Microsoft pushed out the update, researchers and the hacker community dissected the Windows 10 Anniversary Update at the annual Black Hat USA conference in Las Vegas. Multiple sessions were devoted to breaking down the latest version of Windows, both by Microsoft officials, security researchers and, of course, the hacker community.

IT professionals will come to their own conclusions about whether some of these new features provide breakthrough improvements in security or whether they're simply incremental updates.

Vulnerabilities Exposed by Black Hats
Despite Redmond's emphasis on addressing real-world vulnerabilities, less than two months following the release of the Anniversary Update, the number of exploits discovered in Windows 10 remains high. Some reports were not entirely accurate, critics note, such as problems related to the Secure Boot mode with so-called "golden keys" discovered in August. But it's clear many organizations remain exposed to zero-day threats, ransomware and other vulnerabilities. Granted, the rollout of Windows 10 among enterprises, no less the Anniversary Update, is still in its early stages.

It should be noted that the demos were showcased at the Black Hat Conference a week before the actual code was pushed out and Microsoft routinely roles out patches. Likewise, these are not easy targets by any stretch, experts say.

Exploiting AMSI Script Protection
Of the new security features, AMSI is arguably the most interesting of the new features in Windows: It's a set of APIs that can be deployed in Microsoft's own Windows Defender antimalware software to protect against script-based attacks by scanning files and other data in memory. The APIs also perform reputation tests of URLs and IT addresses. In addi­tion to running them in Windows Defender, Microsoft is making the AMSI APIs available to third-party endpoint secu­rity software providers and to other applications. As of this writing, only AVG is offering it in its antimalware offering, others say they're still evaluating it and some don't want to comment at all (see a report on third-party AMSI support).

Nikhil Mittal, a self-proclaimed hacker, trainer and penetration tester, demonstrated some weaknesses in AMSI in a session at the Black Hat conference. AMSI is designed to intercept potentially malicious scripts in memory, as well as allow other applications designed to register and process content via the AMSI framework. The intent behind AMSI is to catch scripted threats regardless of input method or how well the threat is hidden, eliminating them before they can execute. AMSI tries to catch the scripts at the scripting host level as they're loaded from WMI namespaces, registry keys or event logs. Traditional disk-based detection is unable to catch such scripts as the storage is rather unusual and unable to be analyzed.

"What makes AMSI really special is its visibility into the system it's protecting," says Brad Bussie, CISSP, director of Product Management at STEALTHbits Technologies Inc., a supplier of security software. "Being able to look at WMI namespaces, registry keys and event logs -- all untraditional places that scripts can potentially run from -- gives AMSI insight into attacks that would otherwise go undetected."

Mittal demonstrated ways attackers could get around AMSI. Mittal organized his demonstrations of AMSI bypasses using Windows PowerShell as the source of the attack.

"PowerShell is the hottest threat vector area from a malicious shell perspective," Mittal explained. "It has a low rate of detection, the payloads are very effective, and Windows comes pre-loaded with PowerShell. The tool is also used by sys admins, which means activities performed using this tool could easily stay off the radar as it mixes with normal traffic."

Mitall presented the following AMSI exploit methods:

  1. Unusual Shell Execution
    • Run without powershell.exe
    • Utilize reflection (within the memory space of another process)
    • Apply application whitelisting bypass (install and so on)
  2. Signature Bypass (This method is known as obfuscation, or the ability to render the script unclear or unintelligible to AMSI)
    • Remove the help section
    • Obfuscate the function and variable names (change names to numbers, for example)
    • Use simple obfuscation tools that work
    • Encode parts of the script
    • Deliver the payload

"This method is fast and very effective at the time of this presentation," Mitall explained. AMSI flaws extend beyond the ability to bypass the system. AMSI can also be exploited by attackers that have elevated permissions to the Windows machine running AMSI. Mitall presented two options, referencing two separate researchers:

  • Matt Graeber (@mattifestation) -- a one-line command; no admin privilege is necessary (client-side attacks are possible); also bypasses automatic logging
  • Cornelis de Plaa (@Cneelis) -- moves powershell.exe to where the AMSI.dll is and executes it from there; loads a fake DLL (AMSI doesn't execute)

"With the necessary credentials in use and with one simple command, AMSI can be set from enabled to disabled without a single notification sent to a user or administrator," Bussie notes.

"Does this mean doom and gloom for the Red Team?" Mittal asked during his presentation, referring to Microsoft's internal teams that employ offense-based models to detect vulnerabilities (see "Microsoft's Security Posture: The Best Defense Is a Strong Offense"). Mittal cited the following steps:

  • Use PowerShell v2 (which requires the Microsoft .NET Framework 3.0 and does not come with Windows 10)
  • Significantly change the signature of your scripts, which is relatively easy to do
  • Disable AMSI
  • Backward compatibility is a huge deal for Microsoft -- you still see the .NET Framework 3.0 on Windows 10

As with most security systems, when automated detection and response processes aren't available (or possible) directly at the endpoint, some event correlation system -- and possibly even human intervention -- is necessary.

"Keep in mind, most of the attacks discussed do generate event logs," says Bussie. "This brings up a very important point about monitoring event logs when leveraging a service like AMSI. Administrators will want to make sure they log and alert on PowerShell events and look for signs of an attacker attempting to bypass logging. Remember, AMSI is only effec­tive when paired with other security measures and should not be relied upon as a standalone component."

Microsoft's Security Posture: The Best Defense Is a Strong Offense

Microsoft has discovered value in Pwn2Own competitions held for nearly a decade at the annual CanSecWest security conferences -- namely for the vulnerabilities found by hackers in its Internet Explorer browser, which was replaced with the new Edge browser in Windows 10. The company has found them of so much value that company officials wish they could run an exploit competition all year long. Now, Microsoft effectively does run them on an ongoing basis via its Bounty Program.

Still, Microsoft didn't want to wait for the potential exploits to be uncovered through in-the-wild means. The company's security researchers also wanted to find the vulnerabilities themselves (without delay) to limit the exposure of those vulnerabilities. Plus, Microsoft wanted the OS to be developed in a way that made it more difficult to exploit, and not just be free from exploitable code.

With those lofty goals in place, the Offensive Security Research (OSR) and Microsoft Security Response Center (MSRC) teams have developed a new plan. Microsoft worked with Adobe Systems Inc. to leverage some of Adobe's successful secure code development strategies, creating a three-part plan revolving around data-driven software defense:

  1. Analyze: comprehensive set of real-world data to identify opportunities for tactical attack disruption and future strategic hardening.
  2. Build: security engineers build the fences; they explore mitigation concepts with the product owners and prototype/productive mitigation design.
  3. Evaluate: Windows OSR team evaluates mitigations and attempts to bypass so flaws can be addressed.

Through this plan, which David Weston, principal security engineering manager at Microsoft and a leader on the company's OSR team, described the focus as "augmenting preventative security." Weston explained during a session at the annual Black Hat USA conference in Las Vegas in late July how both teams analyzed two years of previous in-the-wild OS exploits and documented every aspect of the attacks. These teams also analyzed three years of Internet Explorer attacks -- focusing on the four zero-day attacks in a row that forced enterprises and government entities to withdraw their recommendations for use of the Windows native browser.

The two teams collaborated and analyzed the exploits, ultimately developing what could be shipped as patches aimed squarely at disrupting hacker attempts to find bugs in the browser. The results were impressive: The average lifespan of in-the-wild zero-day attacks was reduced from 135 days to 45 days.

"Attackers are experts at identifying gaps in the SDLC strategy," said Weston, explaining that 135 days of vulnerability availability is always better for a hacker than 45 days.

Microsoft also employed a Red Team "offensive security" model with the goal of modeling real-world attacks and techniques such as spear phishing campaigns, watering holes and exploit kits to proactively discover new threats. The team internalized its findings and used them to focus its efforts, feeding the Microsoft Blue Team with data to help drive that team's in-the-wild detection capabilities.

"Organizations must simulate real-world incident response scenarios before one actually occurs," said Weston. "Get your process, owners and messaging all sorted out."

Leveraging their success with their in-the-wild tear-downs and supporting the Red Team and Blue Team efforts, the teams began to find ways to eliminate the opportunity for gaps to be identified by any bad actor. To move things rapidly forward, the teams embraced a four-tactic strategy, investing heavily to make it difficult and costly to find, exploit and leverage software vulnerabilities through a layered, data-driven software defense.

Tactic 1: Eliminate entire classes of vulnerabilities

  • Objective a: get rid of hand-to-hand combat
  • Objective b: increase the attackers cost to find the vulnerabilities
  • Result: attack surface cleaned up -- tons of code removed in the Edge browser

Tactic 2: Break exploitation techniques

  • Objective a: get rid of the things on which attackers rely
  • Objective b: break their existing techniques and exploits
  • Result: create many more steps attackers need to perform to develop reliable attacks

Tactic 3: Contain damage and prevent persistence

  • Objective a: look for ways to identify, isolate and contain damage if a vulnerability is exploited
  • Objective b: increase the cost for an attacker to effectively leverage an exploit
  • Result: strong sandboxing and isolation for applications running on Windows

Tactic 4: Limit the window of opportunity to exploit

  • Objective a: limit the scope and window of opportunity for a successful exploit
  • Objective b: minimize an attacker's return on investment
  • Result: response mechanisms quickly developed, applied and deployed

"There are armies of developers -- so this needs to scale," said Weston, speaking of the large numbers of Microsoft engineers building the OSes and supporting applications. "Developers need to be able to write code, test code and check in code -- it needs to be simple to put [these tactics] into the process."

Brad Bussie, CISSP, director of Product Management at STEALTHbits Technologies Inc., says it's a smart approach. "Analyzing the operating system in the wild is a great way to glean the types of attacks that Microsoft will continue to face," Bussie says. "The use of the Red Team to simulate real-world attacks and look for vulnerabilities in the operating system helps to add another layer of security to Windows. By employing real-time preventative patching and building the operating system with security in mind from the start, mitigation techniques will continue to improve and vastly strengthen the integrity of Windows."


Featured

comments powered by Disqus
Most   Popular

Subscribe on YouTube