Microsoft Defender gets AI-assisted ransomware brakes

Microsoft Defender gets AI-assisted ransomware brakes

Microsoft has given its paid Defender for Endpoint for the business environment an additional layer of protection. This should be able to better recognize and block special ransomware attacks with the help of machine learning.

The manufacturer describes the new approach and initial results as follows: In human-controlled ransomware attacks, after penetrating a computer, they finally used the keyboard to move around the network. In other words: attackers enter commands on a command line. The automatic cloud-based protection of Windows Defender has now received a machine learning system to protect against such attacks, which evaluates the threat status of the computer and, if necessary, uses more aggressive blocks to protect the device and prevent further steps by the attacker.

Put simply, the cloud system recognizes on the basis of behavior and patterns that the device is at risk – for example by injecting system code and then using the task planner. It then regulates the further (heuristic) evaluations for greater sensitivity. This then blocks actually inconspicuous, supposedly harmless actions. The data points are collected by the Defender’s behavior detection module. Without readjusting the sensitivity, he would not recognize any danger in the individual actions.

Since the adaptive protection works with AI, the risk assessment of the device does not only depend on individual indicators. The AI ​​uses a large number of patterns and features to assess whether the system is currently being attacked. These skills are particularly suitable for combating ransomware that is actively controlled by humans. Even if attackers are using a file that is not yet known or known to be good, or even a legitimate process, the system could help prevent the file or process from starting.

Microsoft reports in its Security blog post on the AI ​​mechanism of a specific case in which the readjustment of the detection sensitivity was finally able to stop a banking malware called Cridex. Without the AI ​​protection, the Trojan would have become active and would have given the attackers access, they could have caused further damage. The blockade succeeded by taking into account indicators that otherwise would only have received low priority for a defense reaction.

Meanwhile, specialists in attack simulations (Red Teamer) and Incidence Response are discussing how Defender’s protection could be bypassed. A security researcher demonstrates how he can apparently carry out a typical attack pattern that has actually been recognized by simply renaming files.

For the curious: This example demonstrates a well-known attack technique called Living of the Land. Included Attackers abuse legitimate tools like regsrv32.exe for your purposes. In this case, the command loads a malicious script from an external server and executes it immediately. Since this happens in the regsrv32 context, protective measures such as white listing do not take effect. Defender blocks access on the first attempt; after renaming, the attack succeeds. However, it is not clear whether Microsoft’s new AI was already active in this experiment.

Microsoft has now activated the new Defender functions for all business customers. In order to use them, the cloud protection should be activated if it is not yet. It is still too early to make a final assessment. However, should it actually turn out that the protective function of the AI ​​or the rule-based heuristics is based to a significant extent on easily changeable features such as file names, their use would be very limited. Because attackers would quickly learn how to get around that.


Article Source