Many companies have a red team, or several, and they generally
share the same purpose—to play the role of an attacker, probing releases
new and old for vulnerabilities, hoping to catch bugs before the bad
guys do. Few of them, though, focus on a target as ubiquitous as
Windows, an operating system that still boasts
nearly 90 percent market share for laptop and desktop computers
worldwide. When Windows breaks, the whole world hears the shatter.
Putting It Together
The
Windows red team didn’t exist four years ago. That’s around the time
that David Weston, who currently leads the crew as principal security
group manager for Windows, made his pitch for Microsoft to rethink how
it handled the security of its marquee product.
“Most
of our hardening of the Windows operating system in previous
generations was: Wait for a big attack to happen, or wait for someone to
tell us about a new technique, and then spend some time trying to fix
that,” Weston says. “Obviously that’s not ideal when the stakes are very
high.”
Weston wanted to go beyond Microsoft’s
historical mode of using bug bounties and community relationships to
formulate a defense. He was tired of the reactive crouch, of responding
to known issues rather than discovering new ones. He wanted to play some
offense.
Drawing inspiration from his experience
with whitehat hackers at events like Pwn2Own—and tired of waiting until
the competition ended to glean valuable insights into Windows
vulnerabilities—Weston began putting together a team that would
essentially conduct a Windows-focused hacking contest every day of the
year.
You can only scan for problems you already know about. A red team finds the ones you don’t.
Today,
members of that team include Jordan Rabet, whom David noticed after
Rabet showed off an impressive Nintendo 3DS jailbreak in a 2014 YouTube video. Rabet currently focuses on browser security but also played a key role in Microsoft’s response to the Spectre vulnerability that rocked the computer industry less than a year ago.
Viktor Brange, who lives in Sweden, helped respond to leaked NSA Windows-hacking tool Eternal Blue
by sifting through Microsoft code base, ascertaining the severity of
various issues to triage. Adam Zabrocki’s deep Linux experience helps
tackle kernel and virtualization issues. Jasika Bawa helps transform the
team’s findings into actual product improvements. And two other members
of the team WIRED spoke with for this story do sensitive enough work
that they requested anonymity.
Together, the red
teamers spend their days attacking Windows. Every year, they develop a
zero-day exploit to test their defensive blue-team counterparts. And
when emergencies like Spectre or EternalBlue happen, they're among the
first to get the call.
Code Red
Again,
red teams aren’t novel; companies that can afford them—and that are
aware they could be targeted—tend to use them. If anything, it may come
as a surprise that Microsoft hadn’t sicced one on Windows until so
recently. Microsoft as a company already had several other red teams in
place by the time Weston built one for Windows, though those focused
more on operational issues like unpatched machines.
“Windows
is still the central repository of malware and exploits. Practically,
there’s so much business done around the world on Windows. The attacker
mentality is to get the biggest return on investment in what you develop
in terms of code and exploits,” says Aaron Lint, who regularly works
with red teams in his role as chief scientist at application protection
provider Arxan. “Windows is the obvious target.”
Training
that mindset internally on Windows has already paid dividends. In
addition to helping mitigate Spectre and EternalBlue—the team can only
say so much about what, exactly, they did in either case—they’ve notched
some important wins that helped not only Microsoft, but the entire
industry.
At the top of Weston’s list is shutting
down a phishing attack used by notorious Russian hacking group Fancy
Bear, which Microsoft calls Strontium, by shoring up Win32k, a Windows kernel-driver and popular hacker punching bag.
“In
most browser attacks, you first need to compromise what’s called the
browser sandbox, and then you need a way out of that sandbox to do what
attackers want to do, information theft or persistent access to the
machine,” Weston says. “It turns out that this very old and large kernel
surface is the ideal place to do that.”
By
attacking that surface through the eyes of an adversary, the team found
previously undisclosed techniques to leverage it in an attack. Which
meant, in turn, that Microsoft was able to ship an update that blocked
those same efforts in Windows 10 Anniversary Edition in the fall of
2016. The Windows 10 Creators Update, released six months later, took
even further steps to detect kernel exploits.
It’s
an important win, and one that may not have come so quickly had
Microsoft relied on more traditional methods of vulnerability-spotting.
“What
it tends to be is finding the issues that are a little bit beyond the
pale in terms of security vulnerability, that might not be a immediately
apparent or directly searchable, findable from vulnerability scanning
techniques,” Arxan’s Lint says. After all, you can only scan for
problems you already know about. A red team finds the ones you don’t.
Running Out the Clock
The
members of the red team don’t have a specific quota; they’ll prioritize
targets based on things like what they’ve seen hackers exploit in the
wild or which features are relatively untested and sensitive.
“We
want to emulate the kinds of things we’ve seen in the wild and then
take it to the next level,” says Rabet. “People were doing something a
couple of years ago; where are they going to go next? And we try to go
in that direction.”
At the same time, the team
needs to be selective. “Bugs will always be there,” Zabrocki says. “We
can’t fix all the bugs in the world,” especially with as big and complex
and constantly evolving a product as Windows. Better, then, to focus on
broader solutions like kernel anomaly detection, which can help prevent
a whole host of woes.
And solving a problem
entirely sometimes isn’t even the objective. Every time the Windows red
team starts a project, they also start a clock.
'We want to emulate the kinds of things we’ve seen in the wild and then take it to the next level.'
Jordan Rabet, Microsoft
“The
goal of the timer is to give us an objective cost analysis of what it
takes to hack something,” Weston says. “A start-to-finish, median cost
to attack something puts an economic tag on a compromise that’s
something we can drive up over time, which we think is a good objective
metric.” The more time and money a hack costs to execute, in other
words, the less likely an attacker will be to pursue it. Weston hands
out computer-shaped trophies for particularly good finds.
The
red team doesn’t issue patches, of course, which can lead to some
frustrations if they find what they view as a pressing vulnerability
that ends up not getting a timely fix. “A lot of it depends on the
internal mechanisms within the company. It’s a big company. There are a
lot of people who want to have a say in how we do things,” says one
anonymous team member, who laments that Microsoft can sometimes take
months to fix what both internal and external security researchers see
as serious issues.
Helping set those priorities is
Bawa, who uses the red team’s activity as an “internal barometer” of
how effective Microsoft’s endpoint detection products are—especially
against attacks they’ve never seen before. “It really comes down to
being able to look at their activity as a blueprint for what we might
expect from state of the art activity coming from outside of Microsoft.”
Windows
will always be a popular hacker target, and Weston’s team is just one
piece of Microsoft’s efforts to protect it. But given the sophistication
of hackers, whether they’re nation states or criminal syndicates, it’s
at least comforting to know that there’s a team in Redmond keeping pace
with the bad guys—and even staying one step ahead.
No comments:
Post a Comment