MalwareTips Bot

Robot
Verified
Content Creator
Meet Jimmy. Jimmy is an employee in your company. He Does Things With Computers (official title).


Last Wednesday, as Jimmy got out of his car after parking in the company-owned parking lot, he saw something on the ground.


That something is a 512GB USB flash drive!


Jimmy picks up the drive, whistling along to himself as he enters the office and settles down in his cubicle. At which point he plugs in his new, free USB flash drive. Without knowing it, Jimmy has just allowed a targeted malware into your companys network.


Next up, we have Zee, who has been working on an important new account. She has a presentation coming up after the holidays and wants to make a final few tweaks while shes away from the office on vacation. On the Friday before she leaves, she plugs in her corporate-approved USB flash drive and copies over the presentation files, including the clients information about their yet-to-be-registered patent ideas.


On Saturday at the airport, as shes digging around in her bag for her plane tickets, she accidentally drops the USB drive with the Peterson accounts files. She doesnt tell you she doesnt even realize shes lost the drive.


A less-than-honest person swoops by and picks up the drive.


On Tuesday, you hear from the Peterson account theyve decided to go with another company that hasnt had their files stolen and sold across the dark web.


These are pretty scary scenarios but they are possible. So, how do you protect against these and similar attacks?

Windows Defender ATP to the rescue


Knowing that removable device usage is a concern for enterprise customers in both of these types of scenarios weve worked on how removable devices can be protected with Windows Defender Advanced Threat Protection (Windows Defender ATP):


We recommend a layered approach for device control security, which incorporates multiple avenues of protection, including each of the above. In future blogs well also talk about recent malware infections that use USB drives to spread, and dive deeper into how data loss prevention should be a part of your device control strategy.

Prevent users from using removable devices (partially/fully)


We know, unfortunately, that people will plug in devices with unknown history (and that there are also attackers out there who directly attempt to control devices without relying on social engineering). These devices could be the source of malware infections that use USB and other removable devices to get initial access to a system or network.


This vector of attack falls under social engineering in this case, appealing to our weakness for shiny things: when we see a free item were inclined to take it, even if we dont need it it becomes shiny and exciting and precioussssess and we wantssesss it.


To help protect against these attacks, you can prevent any removable device from being seen and interacted with by blocking users from using any removable device on the machine.


To help refine how you can use this feature, with Windows Defender ATP you can block only certain, defined external devices from being used on certain machines or by certain users.


You can use device hardware IDs to lock out (or enable) specific device types and device manufacturers. Youll need to do some manual configuration with a DeviceInstallation policy that uses the IDs you specify, which you can read about at our documentation site. This way you can be more targeted, without blocking employees that need to use USB drives.


If allowing removable devices in your organization, it is recommended that you whitelist known good devices. For example if your company buys only from a handful of device manufactures, you can whitelist or allow only these device manufactures.

Protect against malware infections that use USB devices to spread


After reducing which removable devices can be used in your company, you can also make sure that allowable removable storage drives that are connected are protected by Windows Defender Antivirus.


First, ensure that real-time scanning for USB devices is enabled, and then make sure to enable the exploit guard attack surface reduction rule that can block untrusted and unsigned files on the removable device as soon as its connected.


If the device has direct memory access (DMA) capability (typically Thunderbolt devices) it can potentially be allowed to bypass the login and lockscreen.


You can prevent this situation by blocking devices from having DMA until a user logs on.


This can be done in Intune by creating a Device Restrictions policy and setting the Direct Memory Access toggle to Block under the General settings category (as in the following screenshot), or with the DmaGuard MDM CSP policy.





View the device control support documentation for other Windows Defender scanning option (including scheduled scans and starting scans after a removable device is mounted) as well as other DMA protections.

Control how users can use removable devices (DLP)


Another angle that can be used within this range of defenses is data loss prevention (DLP). DLP seeks to prevent unintentional (and intentional) loss or theft of sensitive, company information. A DLP solution should include a holistic approach across multiple vectors or places where information can be improperly shared. Some of the DLP solutions we offer are:The two parts of DLP that are most relevant to removable devices is the use of BitLocker (in particular, BitLocker to-go) and Windows Information Protection.


Well be publishing a blog in the new year that talks more about DLP solutions, but in this blog were going to focus on BitLocker and WIP as potential protections against the scenarios we started with.


You can require that files written to removable media is Bitlocker protected through Intune configuration settings.





When you attempt to plug in a device that has been encrypted with BitLocker, any files added to the device are automatically encrypted. If someone then tries to access those files on that removable drive by plugging it into another, untrusted computer, they will be prompted to decrypt the removable drive. They wont be able to do this without a recovery key, password, or smart card, which only company employees have.


With Windows Information Protection, users are prevented from copying sensitive information, and from running files that belong to unknown or untrusted apps. This means users that try to copy sensitive or confidential-marked materials will be prevented from doing so, and will be notified depending on the level of enforcement.

Use advanced hunting queries to view and identify suspicious removable device activity


On the flipside, however, it can be hard to know which actual devices you should block, and when and what users to prevent using removable devices, so you can deploy the protections above in specific Active Directory or Intune groups to restrict the controls to certain groups.


For example, you may have employees that should never need to use removable devices because their work is sensitive and shouldnt be shared. However, you dont want to prevent your creative, sales, and marketing teams from being able to easily share content briefs with external groups.


Going beyond these tactics though, you can use advanced hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously, as in the following example:


MiscEvents
| where ActionType == "PnpDeviceConnected"
| extend ParsedFields=parse_json(AdditionalFields)
| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),
DeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime
| where ClassName contains "drive" or ClassName contains "usb"

This is a small part of the full query (Map external devices) on our hunting GitHub repository (authored by Microsoft Senior Engineer Tomer Alpert).

Where to get more information and support


For more details and examples on implementing the above scenarios to help protect your assets from refer to the device control support documentation.


If you have any further questions or would like more information about the feature just leave us a comment below or get in touch with us on Twitter. Well be back in the new year with even more device control capabilities so make sure to subscribe or bookmark or follow or whatever you need to do so you dont miss out well also be writing more blogs about the different ways you can use device control, such as data loss prevention (DLP) and disconnected devices.





Jody Cedola (@SecureITBlanket) and Iaan DSouza-Wiltshire (@IaanDW)
Windows Defender Advanced Threat Protection
















Talk to us


Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.


Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.


The post Windows Defender ATP has protections for USB and removable devices appeared first on Microsoft Secure.

Source
 

Jack Aubry

Level 1
Alternatively, I would suggest using a specialized tool to protect systems and data when threat originates from unauthorized use of devices such as USB flash drives or to protect data inside authorized USB drives on the go.

Specifically USB-Lock-RP Device Control would be a more effective and a much more straightforward approach.
For example: When Jimmy inserts the unknown USB flash drive he found at the parking lot on the company computer the device would have been blocked by USB-Lock-RP software and malware infection would have been prevented,
To accomplish this only 2 clicks would have been required:
usb-lock-rp-device-control-software.png

  1. Select the computer from the network list.
  2. Press the removable drives sector lock. (see image)
Doing so would have not only prevented The USB Flash drive from infecting the system but also would have prevented infection originating from other devices such as: Smartphones, e-sata drives, Fire-wire, USB Attached SCSI, smart cards.... and last but not least USB HID impostor Bad USB devices such as USB Rubber Ducky, (I don't believe Bit-locker would have blocked this kind of device)
With the advantages that the intrusion attempt would have been automatically logged at the USB-Lock-RP Device Control Administrative Console .
Additionally it would have been as simple to apply this setting to a large number of computers using the Groups function.

On the second presented scenario when Zee extracts company sensible data on her approved USB drive and loses the device, access to data would have been prevented by USB-Lock-RP, setting this protection would have been as easy:
  1. Select the computer from the network list.
  2. Press the Files to Thumb drives Monitoring and encryption buttons ON. (see image)
Information would have been protected as this setting forces encryption on any files transferred from the PC to the device.
(While the device remains connected to the PC files are still accessible.)
But with the following advantage:
The names of the files and exact size would have been logged when Zee transferred the files from the Company computer to the authorized USB flash drive..
This is important because the company wouldn't be left guessing at to what files had been lost.
USB-Lock-RP Demo can be tested to protect 5 client computers in a network without time limitation, so you might give this a go.
 
D

Deleted member 178

Or in case of Jimmy, if he was a serious IT, he would use a VM/network-disconnected spare machine and format the drive.

And Zee would encrypt her datas prior to transferring them to the USB.

No need Windows APT or some dedicated apps, just skills.