In our previous article, we explored the fundamentals of Attack Surface Reduction (ASR), understanding what it entails and why it’s crucial for modern cybersecurity. In this article, we’d like to guide you through a deeper examination, starting with the core principles behind ASR rules.
The Philosophy Behind ASR Rules
From a usability perspective, Host Intrusion Prevention Systems (HIPS) aim to achieve two main goals: enable the creation of behavior-based rules to block certain activities and provide methods for mitigating false positives (FPs) effectively, often through exclusions. This approach grants organizations the flexibility to manage their security controls as they protect assets, making HIPS a natural choice for ASR. Consequently, security providers (SPs) have developed platforms that empower organizations to create and manage rules and exclusions, frequently utilized throughout the relationship with their security providers.
However, this approach has notable drawbacks. Frequently, rules are created in direct response to new security incidents or attack analyses, often leveraging specific Indicators of Compromise (IoCs) from known threats. Unfortunately, this reactionary method may result in overly specific rules, which may struggle to block future attack variations as adversaries adapt and evolve their techniques. This cycle of creating new rules and updates based on the latest threats can quickly lead to a buildup of hundreds, if not thousands, of rules, with organizations still facing challenges in effectively stopping emerging attacks.
Challenges in Working with HIPS Rules
When managing a HIPS product, organizations often encounter challenges, including:
- Developing proactive, generic rules to block novel threats
- Mitigating FPs that impact essential internal or third-party applications using exclusions
- Retiring outdated rules (end-of-life) promptly
Beyond available time, the limited visibility of external threats can restrict the organization’s ability to craft effective, timely rules with meaningful exclusions.
Microsoft’s Unique Approach to ASR
Microsoft has adopted a different method in its ASR feature within Microsoft Defender for Endpoint (MDE). Instead of solely providing a platform for rule creation, Microsoft leverages the vast amount of data from billions of signals daily to evaluate the impact of blocking rules. This approach allows Microsoft to collaborate with organizations, sharing the responsibility of rule creation.
To fulfill the primary ASR goals of protecting assets from compromise and minimizing damage, Microsoft categorizes attacks by their primary entry points and designs generic rules for each type. This categorization helps block not only known attacks but also previously unseen ones that share similar entry points. For example, many attacks originate from Office files, specifically through malicious macros using Win32 API calls. To counter these, Microsoft introduced the rule “Block Win32 API calls from Office macros” to prevent all such malicious macro executions.
A similar approach is used to reduce post-intrusion impacts. For instance, attackers frequently try to steal credentials from the LSASS process memory to further compromise networks. In response, Microsoft created the rule “Block credential stealing from the Windows local security authority subsystem (lsass.exe),” which prevents unauthorized access to LSASS memory, hindering attacks dependent on credential theft.
Our next article will dive into each rule individually and explain how they’re grouped.
If you’re looking to strengthen your cybersecurity posture with expert guidance on ASR rules or other advanced security solutions, don’t hesitate to reach out to us.
Contact us today – together, we’ll keep your assets protected and your organization secure!