You may remember a time when Vulnerability Management (VM) involved nothing more than vulnerability scanning, penetration testing and web application assessments. This was all we needed to help us identify which of our technology assets were susceptible to cyber threats and seal up any vulnerabilities. However, the work environment has changed.
With the shift to the cloud and the rise of hybrid infrastructure and remote work policies, the digital footprint of the average business has expanded exponentially. The attack surface of today includes more than just your physical IT assets, and this expansion has fundamentally changed the surface area that IT security teams need to protect.
Add in that there was a massive increase in global year-over-year cyber threats in the last year. This is thanks to the pandemic forcing many businesses to accelerate their cloud migration so they could accommodate social distancing and lockdown directives. What this means is that cybersecurity professionals today have to think bigger than they ever needed to before.
What is an attack surface?
In simple terms, your attack surface is the total number of points where an unauthorized user can possibly access your system and extract any data, sensitive or not. It follows that the smaller your attack surface, the easier it is to protect.
There are two categories of attack surface:
Physical attack surface
This comprises all the endpoint devices that a malicious actor can gain access to and includes laptops, desktop computers, mobile phones, USB devices, hard drives, scanners, printers and more. Things that need to be considered with your physical attack surface are the careless discarding of devices that contain login credentials, passwords stored in unsecured places like a piece of paper, and physical break-ins.
Digital attack surface
Your digital attack surface includes all of the hardware and software that connect to your networks. This includes your servers, applications, websites, code, ports and shadow IT (when users bypass IT so they can use unauthorized applications or devices). This is the most vulnerable attack surface and the one that has expanded most, with hybrid infrastructures becoming commonplace.
Organizations today need to constantly monitor their attack surfaces to identify vulnerabilities and block potential threats as quickly as possible. They also need to do everything they can to minimize their attack surface. This is where Attack Surface Reduction (ASR) and ASR Rules come into play.
What is the difference between ASR and ASR Rules?
While interconnected, ASR and ASR Rules are two completely different things.
Attack Surface Reduction
Attack Surface Reduction is all about preventative security and endpoint hardening, which is where you turn off or block as many features as possible on the device in question without affecting its required functions. They are effectively helping to neutralize potential threats before those threats can become exploitable vulnerabilities.
An important thing to note is that ASR is an umbrella term for a lot of the Windows 10 built-in capabilities and cloud-based features designed to help you reduce the probability of a cyber attack. In other words, it is a Windows 10 feature that you can think of as a sort of Host Intrusion Prevention System (HIPS). By integrating ASR with Microsoft Defender for Endpoint, you get more management and visibility, enabling you to use ASR at scale.
ASR Rules are one of the features offered by ASR. You can think of them as the measures you can use to help you close some of the entry points that malicious actors commonly exploit. ASR Rules make it possible to restrict certain behaviours in your applications and files, as well as blocking scripts that are often associated with malicious activity.
Some of the actions that cyber attackers are known to use include:
- Running malicious scripts on your endpoints
- Forcing legitimate applications to load malicious code such as modified DLL files and/or other processes
- Launching an executable file or script that tries to download or run malicious tools and files so they can carry out their attack from inside your network
There are obviously times when the behaviours listed above are legitimate, but they pose a risk because they can be abused by attackers. This means that before you run ASR Rules in block mode though, you should run them in audit mode so you can capture more data and understand how they impact the normal functioning of your critical business applications.
What do I need to enable ASR Rules?
It is important to remember that using ASR Rules doesn’t mean you don’t trust the application whose features or functions you’re restricting or blocking. All they are doing is minimizing your overall risk level by reducing the probability of a cyber attacker finding a vulnerability to exploit.
Unfortunately, there are certain system requirements for you to be able to configure ASR Rules. These are:
- Windows 10 Pro/Enterprise/Education, version 1709 or later
- Windows Server, version 1803 (Semi-Annual Channel) or later
- Windows Server 2019
Windows 10 Pro gives you the ASR Rule capabilities as well. However, with the Windows 10 Enterprise E3 license, you get access to the entire ASR Rules feature set. This includes the ability to use Event Viewer to review your ASR Rule events.
If you want even more management and reporting capabilities, you will need the Windows E5 license with Microsoft Defender for Endpoint. The tools this gives you access to include monitoring, reporting, configuration, analytics and workflow through the Microsoft Defender for Endpoint Security Centre portal.
Whichever license you choose to use, your Microsoft Defender Antivirus (MDA) has to be active and not in passive mode. The reason for this is that ASR uses MDA to block applications, and it is currently not possible to configure ASR so that it can use another security solution to perform this function.
Remember: MDA automatically goes into passive mode if you’re using a third-party antivirus application.
If you want to learn more on the different tools available to enable ASR rules for your endpoints, click here.
Attack Surface Reduction offers a lot of features that can be incredibly helpful when it comes to reducing the attack surfaces of your endpoints, and therefore of your entire network environment. You will find that it is easier to implement some features than others, and you will need to find the balance that works for you and your organization.
But the simple truth is that you need to do everything in your power to reduce your attack surface and using all the features that come with ASR is one of the easiest ways to do that. So take the time and do it now — you’ll be glad you have ASR in place in the event of a cyber-attack, thanks to the efforts you make today.