Web Browser, the quickest gateway to access information across the globe, is often the easiest and the most used instrument to inject threat to your computer systems.
In this age of Digital Transformation, not having a web presence is rare. Tricking users to download malicious content via your web browser is much simpler. The attack surface is huge with the number of API’s and plugins present in the web browsers.
Adversaries not only exploit the vulnerabilities in the browsers to compromise your systems, but even for phishing, spear phishing or water holing techniques - entry vector will be the browser.
Hence, having inherent strong security measures in the browser destroys the standard playbook of the attacker making it more expensive and difficult to seep in. With the number of millennial users increasing with time, it is unfair to restrict their web access and having strong mechanisms in place which make users feel least restrictive and organizations more secure is the need of the hour.
Secured Browser
Microsoft Edge was built to safeguard users against malicious intent in the web world and make it difficult for the adversary to exploit the vulnerabilities in the browser.
Constantly learning SmartScreen is a cloud based anti-phishing and anti-malware component and is included in Microsoft Edge. It helps protect the users from non-reputed websites -- sites which have a history of phishing or malware hosting. The reputation of files downloaded by the user is checked by Smart Screen against the Microsoft Cloud Intelligence and the user is warned.
Microsoft Edge is the first Browser which supports Windows Hello for authentication on the Web. One of the major reasons for breaches is compromised passwords. Compromised passwords can be used by the adversaries to gain access to Intellectual Property or Personal Identifiable Information or for financial frauds. Weak passwords, passwords stored on the servers or hashes protected by LSASS can be a source of compromise. Microsoft foresees a world with no passwords – It’s Windows Hello, combined with Web Authentication, that enables this vision with biometrics and asymmetric cryptography.
Edge is built with Universal Windows Platform and is sandboxed by default. Edge and Flash only have access to 40% of the interfaces of win32k.sys which wasn’t the case earlier. Thereby, reducing attack surface substantially.
In addition, Edge supports latest web security standards and capabilities to block common attacks and prevent impersonation.
- Certificate Reputation – Detects fraudulent certificates offering protection against attackers that could have stolen a sites identity.
- EdgeHTML Engine – A completely rewritten Engine which supports W3C Content Security Policy (offers protection to developers against cross site scripting attacks) and HTTP Strict Transport Security ensures that connections to sites holding sensitive information are always secured.
- Address Space Layout Randomization (ASLR) on 64 bit systems - ASLR randomizes the memory layout for browser processes whereas the 64 bit processes makes the address space exponentially larger thus making it difficult for the attackers to play with memory based threats.
- Memory Garbage Collector (MemGC) frees up the memory automatically if it has no references pointing to it.
- Control Flow Guard (CFG) places stricter controls on where a code can be executed from thereby making it difficult for an attacker to run code through vulnerabilities like buffer overflow.
NSS lab report shows a comparative report on various browsers against Socially Engineered Malware.
Application Guard – Guarding the Gate!
Attackers would initially try to deliver the malicious code to your endpoint. This malicious code could be a targeted code, general code or a zero day which might not be detected by your Antivirus/Antispam solution. Once they successfully deliver this code, they will try executing the subsequent stages of the Cyber Kill Chain or achieve the objective in isolation.
(https://blogs.technet.microsoft.com/prasadpatil/2017/12/15/crippling-the-cyber-kill-chain/)
Traditional approaches like whitelisting and blacklisting could be quite cumbersome and not scalable enough to cater to the security threat landscape prevalent today. Secondly, restricting access to the outer world of knowledge could hamper the productivity of the employees.
What if users can browse without any restrictions whereas the organization are assured of safety?
Windows Defender Application Guard lets you do just that. It will open the URL’s that are trustworthy in a normal mode allowing interaction with the OS and the disk whereas the URL’s that aren’t trustworthy will open in a separate non-persistent container. Anything trying to come in through this session would be blocked by Windows Defender Application Guard.
Demo: Windows Defender Application Guard against ransomware
Sources of threats don’t end here. Vulnerabilities in published Web Applications is another channel for the attackers to get in. We will discuss secure development of web application in the next writeup. So, watch out for it.