Today we released the latest volume of the Microsoft Security Intelligence Report (SIR) containing a large body of new data and analysis on the threat landscape. This volume of the SIR includes:
- Latest industry vulnerability disclosure trends and analysis
- Latest data and analysis of global vulnerability exploit activity
- Latest trends and analysis on global malware and potentially unwanted software
- Latest analysis of threat trends in more than 100 countries/regions around the world
- Latest data and insights on how attackers are using spam and other email threats
- Latest global and regional data on malicious websites including phishing sites, malware hosting sites and drive-by download sites
In addition, we have included a section in the report focused on how the threat called Conficker continues to propagate. Conficker has been one of the top threats in the enterprise for the past two and a half years, and many of the customers I talk to have been struggling to eradicate it from their environments. Given that a new variant of Conficker has not been released in years and the methods it uses to propagate are well known, we wanted to understand how it continues to be so successful. The Microsoft Malware Protection Center did some new research and uncovered how Conficker has been able to remain a top threat in the enterprise: weak and stolen passwords. The passwords that Conficker uses to grind against file shares are well documented and very simple. But it appears that many organizations have still not implemented strong password policies, allowing Conficker to spread in their environments successfully using passwords like “admin”, “admin123”, “administrator”, “default”, “test”, “12345” and “security.”
Figure: Blocked Conficker infection attempts on enterprise computers, as detected by Microsoft Forefront Endpoint Protection
The report contains background information on all the methods Conficker uses to spread, and a full analysis on an operating system by operating system and Conficker variant by variant basis. I asked the folks in Microsoft’s IT department (MSIT) to provide some specific guidance for IT departments that continue to struggle with Conficker – this is included in the new SIR as well.
This new volume of the SIR also contains a new section on “advanced persistent threats” or APT. The problem with the term APT is that it doesn’t describe this category of threats very accurately, so it’s not very helpful. In particular, the threats we see at Microsoft in this category are not any more “advanced” or technically sophisticated than many of the broad-based attacks currently in use on the Internet, like Conficker. From a high level these targeted attacks by determined adversaries (a more accurate and useful term for this category of threat) use unpatched vulnerabilities for which updates are available, weak passwords, and social engineering to compromise systems – the same list of tactics that broad-based attacks like Conficker use.
Applying security fundamentals goes a long way to protecting systems from both Conficker and targeted attacks conducted by determined adversaries. Using strong passwords, running anti-malware software from a trusted vendor, keeping all software installed on systems up to date in a timely manner, and using newer versions of software and/or service packs will all help manage risks associated with both broad-based attacks and targeted attacks conducted by determined adversaries. Organizations that don’t have strong competencies in IT or security can offload some of this work to cloud providers. For organizations that have high value assets and are likely to be targeted, a more holistic security strategy will help manage the risk better than a strategy focused on prevention and recovery (creating a hard, crunchy outer shell with a soft gooey center). A strategy that employs prevention, detection, containment and recovery will help organizations manage the risk in a more holistic way – all the details are included in the new SIR.
I encourage you to download the new SIR and take full advantage of the new research it contains as well as the hundreds of pages of threat intelligence. You can download the report and watch related videos at www.microsoft.com/sir.
Director, Trustworthy Computing