Microsoft Defender protects Mac and Linux from malicious websites

Image: freestocks/Unsplash

Microsoft’s security tools aren’t just for Microsoft platforms, because attackers aren’t just targeting Windows.

“Over the past few years, we’ve seen the threat landscape evolve where attackers and cybercriminals target all platforms equally,” Tanmay Ganacharya, associate director of security research at Microsoft, told TechRepublic. . “We have seen a significant increase in vulnerabilities found and reported for non-Windows platforms, as well as in malware and threat campaigns in general.”

As the dominant desktop operating system, Windows was the most popular target for attackers, but MITER statistics for CVEs show that the number of vulnerabilities found on other platforms is growing rapidly.

“As Windows protection has gotten better and better over the past few years, the low hanging fruit no longer targets Windows endpoints, but some of those other endpoints that people assume are secure,” Ganacharya said.

SEE: Mobile Device Security Policy (TechRepublic Premium)

BYOD policies have made corporate networks more diverse, and devices that were previously only connected to corporate networks are now likely on the internet as well. Attackers have also evolved so that in addition to trying to compromise endpoints, they also target credentials and identities.

“Yes, you can break in, but isn’t it better – for an attacker anyway – if he can just log in?” said Ganacharya. “Identities can be stolen from any device employees on a given network log into.”

Importance of an end-to-end approach to security

Detecting and preventing attacks on endpoints is only part of protecting your network and the resources it connects to, and you won’t always detect everything in time. You need an end-to-end approach.

“You need to think about everything running software or code on your network when you’re modeling threats to your network and then putting a plan in place,” Ganacharya said. “How are you going to identify these devices? How are you going to secure them? How do you handle alerts from all types of devices, and do you have manuals for responding to these alerts in the same way on all of these devices? How will you track or react when alerts appear in case threats are not prevented but detected? »

Start with endpoints

While it’s important not to rely solely on endpoints, you should always start with them. This is especially true for endpoints that you are not currently protecting, which is why Microsoft plans to have a comprehensive security suite for each platform, covering vulnerability management, attack surface reduction, threat prevention, detection and remediation, as well as the Microsoft on-demand Defender Expert Services, Ganacharya told TechRepublic.

“The threat research, threat intelligence, detection and remediation content we create can scale across all platforms,” he said. “We apply it at different stages of the attack so that we can stop the attack regardless of what device the customer is on.”

For endpoints, Microsoft is currently focusing on Linux, Mac, Android, and iOS, starting with anti-malware and endpoint detection and response. More recently, Defender for Endpoint added new features for Mac and Linux, focusing on attack surface reduction, web protection, and network protection.

These priorities correspond to the threats Microsoft sees on each platform, as well as what you can do on a phone, server, or laptop with available operating system capabilities.

“Each platform brings its own interesting threat landscape depending on how it is exploited, and each platform has its own limitations in terms of what an anti-malware or EDR-like solution can do on these platforms,” ​​Ganacharya said.

Some of that will also depend on policies rather than technology, he notes.

“Certain devices present additional challenges, such as phones: how well do you track them when people use their personal phones to log in to email and Teams?”

Protect and detect with Microsoft Defender

Web protection covers things that happen entirely in the browser: providing a reputation score for websites, blocking known sites for phishing, malware, exploits, or specific issues you’re concerned about, and tracking the where users enter their corporate credentials in case they are exposed. and must be changed.

“It can also allow you as a business to filter content and say, ‘Hey, these categories of websites are allowed on my network devices, these types of categories are not allowed on my network'”, Ganacharya said.

With Microsoft Edge on Windows, everything is done by SmartScreen in the browser, but you see alerts and metrics in the Defender for Endpoint portal (Figure A).

Figure A

The Web Protection Dashboard shows both detected threats and whether your web filtering decisions are reducing browsing load on bandwidth.
Picture: Microsoft. The Web Protection Dashboard shows both detected threats and whether your web filtering decisions are reducing browsing load on bandwidth.

If you’re using other browsers, including Edge on macOS, which doesn’t yet have built-in web protection, the web protection features rely on the network protection features (Figure B).

Figure B

Network Protection works with non-Edge browsers: the message in Safari itself may be generic, but the toast notification tells the Mac user if they're trying to open a phishing site or a legitimate webpage blocked on his work network.
Picture: Microsoft. Network Protection works with non-Edge browsers: the message in Safari itself may be generic, but the toast notification tells the Mac user if they’re trying to open a phishing site or a legitimate webpage blocked on his work network.

“Everything you do in the browser, you can also see on the network, but then you can see a lot more on the network,” Ganacharya said. “If we can apply our detection capabilities to the network, we can still stop the same threats on those platforms.”

In addition to preventing browsers and other applications from connecting to malicious sites, Network Protection reduces the attack surface to block common attacks and allows defenders to explore network behavior that might indicate an attack is in progress.

Attack surface protection blocks Man in the Middle attacks and prevents any compromised device on your network from connecting to command and control servers, preventing attackers from exfiltrating data, using your devices for a distributed denial of service attack or downloading and spreading malware.

It also ensures that users connect to the correct Wi-Fi network.

“Unauthorized Wi-Fi is a pretty big issue that many of our customers face,” Ganacharya said. “Employees end up connecting to an unsecured network or custom-built networks so they can listen to what you’re doing on your machine.”

Network-based exploits also pose a threat.

“You send a maliciously crafted packet over the network, and it can be used to compromise an endpoint,” Ganacharya said. “Virus and web protection may not stop it, but we may be able to detect post-exploit activity.”

He noted that Network Protection helps you defend in depth by having protections and detections that cover the different stages of an attack: “Even if one stage is missed, we catch it in the next stage. “

You can detect more attacks by monitoring endpoints directly as well as on the network.

“We are able to correlate which process on the endpoint created which traffic and which IP address it attempted to connect to,” he said.

But if there are endpoints you aren’t protecting yet, perhaps because you didn’t even know they were on your network, network protection features can help you find them.

“For that, we need to not only be on an endpoint, and not only watch what traffic is being generated to that device, but also watch what other devices are identified on the network,” Ganacharya said. “Moving this detection capability to devices like routers helps you reduce your false negatives.”

Not all endpoint protection features for Windows devices are in place for macOS and Linux yet, and both are still in preview: you can’t customize the messages users receive if a site is blocked or a warning appears, although it can happen. in the future.

In Linux, network protection is implemented as a VPN tunnel, and Defender does not include data loss prevention. Neither macOS nor Linux has the Defender Security Management option to manage security settings for Defender itself without the need for additional device management software.

Six distributions are supported for Defender on Linux: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. On Macs, you need macOS 11 or later.

Vulnerable devices that need to be protected

Other devices on your network may need to be tracked and protected.

“Routers, printers, conference room devices, smart TVs, smart fridge: all kinds of devices are connecting to the internet these days, and that’s increasing the attack surface,” Ganacharya said.

Ransomware is deployed directly by individual attackers rather than just automated scripts, and they look for the easiest way to enter what might be a device you don’t think poses a threat. That’s why there’s a version of Defender for IoT and operational technology devices that use network monitoring without the need for agents.

“Customers really need to accept this and assume that any device they have on their network can be an entry point for an attack,” Ganacharya warned.