Microsoft's big Windows Defender ATP update: bad macros, fileless malware and faster response

Microsoft has released new feature updates to Windows Defender ATP for the enterprise that aimed at reducing the attack surface and giving security teams faster response capabilities.  

The updates, detailed today, beef up Defender ATP feature “attack surface reduction” with two new rules that allow enterprise to prevent Outlook and Adobe Reader from creating child processes, which should wipe out attacks that use malicious macros in Office documents to download malware, as well as exploits for vulnerabilities in both Reader and Office. 

The new additions bring the total number of attack surface reduction rules to 14, which all target common malware techniques and help defenders mitigate ransomware, untrusted executables in email, malware that attempts to steal credentials from lsass.exe — the Windows local security authority subsystem — and unsigned processes running from USB drives. 

Another update aims to help defenders during a security crisis, such as a fast moving malware outbreak. The new emergency security intelligence updates can be issued by Microsoft’s Windows Defender ATP research team to all cloud-connected devices in an enterprise. 

It’s a fast-track to accessing updates from Microsoft’s Defender ATP cloud, which could take the heat off security admins who might otherwise be waiting hours for updates from their own internal Windows infrastructure. 

As an aside, Microsoft notes that it’s added new “dedicated detections” for malicious cryptocurrency miners, which have become a growing menace to enterprise. The Bitcoin price boom appears to be over for now, but criminals are stil looking to free-ride others' hardware for to generate some crypto-currency. A university in Canada earlier this month disabled its entire IT network for four days to halt a cryptocurrency miner that was bleeding its compute and power resources for unauthorized purposes. 

Microsoft has also rolled out a new feature called “incidents”, aimed at giving responders the big picture when they’re under attack. Incidents are designed to bring some order to potentially noisy Defender ATP alerts by automatically grouping alerts that likely have been triggered by the same attack. 

Incidents also groups affected machines and displays the connections between malware and infections in a graphical interface within the Windows Defender Security Center. 

Microsoft claims it can save up to 80 percent of analyst time by cutting out much of the manual work that goes into correlating malicious events. 

Other key recent additions include the automation of processes for investigating and remediating ‘fileless’ malware attacks, an increasingly popular method for avoid detection by executing in memory and leaving no trace on disk. This adds automated memory forensics to pinpoint memory regions that may have been used in a fileless malware attack. 

Finally, Microsoft is using its acquisition of code-hosting repository GitHub to improve Defender ATP by tapping into the security researcher community who share their queries with others on the site. The queries can be used as customer detection rules, giving customers a shortcut to creating detection rules, which would otherwise require them to come up with an alert title, severity of the issue, a category, description, and recommended actions.