Meet Jimmy. Jimmy is an employee in your company. He Does Things With Computers (official title).<\/p>\n\n\n\n
Last Wednesday, as Jimmy got out of his car after parking in the company-owned parking lot, he saw something on the ground.<\/p>\n\n\n\n
That \u201csomething\u201d is a 512GB USB flash drive!<\/p>\n\n\n\n
Jimmy picks up the drive, whistling along to himself as he enters the office and settles down in his cubicle. At which point he plugs in his new, free USB flash drive. Without knowing it, Jimmy has just allowed a targeted malware into your company\u2019s network.<\/p>\n\n\n\n
Next up, we have Zee, who has been working on an important new account. She has a presentation coming up after the holidays and wants to make a final few tweaks while she\u2019s away from the office on vacation. On the Friday before she leaves, she plugs in her corporate-approved USB flash drive and copies over the presentation files, including the client\u2019s information about their yet-to-be-registered patent ideas.<\/p>\n\n\n\n
On Saturday at the airport, as she\u2019s digging around in her bag for her plane tickets, she accidentally drops the USB drive with the Peterson account\u2019s files. She doesn\u2019t tell you \u2013 she doesn\u2019t even realize she\u2019s lost the drive.<\/p>\n\n\n\n
A less-than-honest person swoops by and picks up the drive.<\/p>\n\n\n\n
On Tuesday, you hear from the Peterson account \u2013 they\u2019ve decided to go with another company that hasn\u2019t had their files stolen and sold across the dark web.<\/p>\n\n\n\n
These are pretty scary scenarios \u2013 but they are possible. So, how do you protect against these and similar attacks?<\/p>\n\n\n\n
Knowing that removable device usage is a concern for enterprise customers in both of these types of scenarios we\u2019ve worked on how removable devices can be protected with Windows Defender Advanced Threat Protection (Windows Defender ATP):<\/p>\n\n\n\n
We recommend a layered approach for device control security, which incorporates multiple avenues of protection, including each of the above. In future blogs we\u2019ll also talk about recent malware infections that use USB drives to spread, and dive deeper into how data loss prevention should be a part of your device control strategy.<\/p>\n\n\n\n
We know, unfortunately, that people will plug in devices with unknown history (and that there are also attackers out there who directly attempt to control devices without relying on social engineering). These devices could be the source of malware infections that use USB and other removable devices to get initial access to a system or network.<\/p>\n\n\n\n
This vector of attack falls under social engineering \u2013 in this case, appealing to our weakness for \u201cshiny things\u201d: when we see a \u201cfree\u201d item we\u2019re inclined to take it, even if we don\u2019t need it \u2013 it becomes shiny and exciting and precioussssess and we wantssesss it.<\/p>\n\n\n\n
To help protect against these attacks, you can prevent any<\/em> removable device from being seen and interacted with by blocking users from using any removable device on the machine<\/a>.<\/p>\n\n\n\n To help refine how you can use this feature, with Windows Defender ATP you can block only certain, defined external devices from being used on certain machines or by certain users<\/a>.<\/p>\n\n\n\n You can use device hardware IDs to lock out (or enable) specific device types and device manufacturers. You\u2019ll need to do some manual configuration with a DeviceInstallation policy that uses the IDs you specify, which you can read about at our documentation site<\/a>. This way you can be more targeted, without blocking employees that need to use USB drives.<\/p>\n\n\n\n If allowing removable devices in your organization, it is recommended that you list known good devices in an allow list. For example if your company buys only from a handful of device manufactures, you can allow only these device manufactures.<\/p>\n\n\n\n After reducing which removable devices can be used in your company, you can also make sure that allowable removable storage drives that are connected are protected by Windows Defender Antivirus.<\/p>\n\n\n\n First, ensure that real-time scanning for USB devices is enabled<\/a>, and then make sure to enable the exploit guard attack surface reduction rule<\/a> that can block untrusted and unsigned files on the removable device as soon as it\u2019s connected.<\/p>\n\n\n\n If the device has direct memory access (DMA) capability (typically Thunderbolt devices) it can potentially be allowed to bypass the login and lockscreen.<\/p>\n\n\n\n You can prevent this situation by blocking devices from having DMA until a user logs on<\/a>.<\/p>\n\n\n\n This can be done in Intune by creating a Device Restrictions<\/b> policy and setting the Direct Memory Access<\/b> toggle to Block<\/b> under the General<\/b> settings category, or with the DmaGuard MDM CSP policy<\/a>.<\/p>\n\n\n\n View the device control support documentation<\/a> for other Windows Defender scanning option (including scheduled scans and starting scans after a removable device is mounted) as well as other DMA protections.<\/p>\n\n\n\n Another angle that can be used within this range of defenses is data loss prevention (DLP). DLP seeks to prevent unintentional (and intentional) loss or theft of sensitive, company information. A DLP solution should include a holistic approach across multiple vectors or places where information can be improperly shared. Some of the DLP solutions we offer are:The two parts of DLP that are most relevant to removable devices is the use of BitLocker (in particular, BitLocker to-go) and Windows Information Protection.<\/p>\n\n\n\n We\u2019ll be publishing a blog in the new year that talks more about DLP solutions, but in this blog we\u2019re going to focus on BitLocker and WIP as potential protections against the scenarios we started with.<\/p>\n\n\n\n You can require that files written to removable media is Bitlocker protected through Intune configuration settings.<\/p>\n\n\n\n When you attempt to plug in a device that has been encrypted with BitLocker, any files added to the device are automatically encrypted. If someone then tries to access those files on that removable drive by plugging it into another, untrusted computer, they will be prompted to decrypt the removable drive. They won\u2019t be able to do this without a recovery key, password, or smart card, which only company employees have.<\/p>\n\n\n\n With Windows Information Protection<\/a>, users are prevented from copying sensitive information, and from running files that belong to unknown or untrusted apps. This means users that try to copy sensitive or confidential-marked materials will be prevented from doing so, and will be notified depending on the level of enforcement<\/a>.<\/p>\n\n\n\n On the flipside, however, it can be hard to know which actual devices you should block, and when and what users to prevent using removable devices, so you can deploy the protections above in specific Active Directory or Intune groups to restrict the controls to certain groups.<\/p>\n\n\n\n For example, you may have employees that should never need to use removable devices because their work is sensitive and shouldn\u2019t be shared. However, you don\u2019t want to prevent your creative, sales, and marketing teams from being able to easily share content briefs with external groups.<\/p>\n\n\n\n Going beyond these tactics though, you can use advanced hunting in Windows Defender ATP to identify users, machines, and types of devices that are being used suspiciously, as in the following example:<\/p>\n\n\n\n This is a small part of the full query (\u201cMap external devices\u201d) on our hunting GitHub repository<\/a> (authored by Microsoft Senior Engineer Tomer Alpert).<\/p>\n\n\n\n For more details and examples on implementing the above scenarios to help protect your assets from refer to the device control support documentation<\/a>.<\/p>\n\n\n\n If you have any further questions or would like more information about the feature just leave us a comment below or get in touch with us on Twitter. We\u2019ll be back in the new year with even more device control capabilities so make sure to subscribe or bookmark or follow or whatever you need to do so you don\u2019t miss out \u2013 we\u2019ll also be writing more blogs about the different ways you can use device control, such as data loss prevention (DLP) and disconnected devices.<\/p>\n\n\n\n Jody Cedola<\/strong> (@SecureITBlanket<\/a>) and Iaan D\u2019Souza-Wiltshire<\/strong><\/em> Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n\n\n\nProtect against malware infections that use USB devices to spread<\/h2>\n\n\n\n
Control how users can use removable devices (DLP)<\/h2>\n\n\n\n
\n
Use advanced hunting queries to view and identify suspicious removable device activity<\/h2>\n\n\n\n
MiscEvents\n| where ActionType == \"PnpDeviceConnected\"\n| extend ParsedFields=parse_json(AdditionalFields)\n| project ClassName=tostring(ParsedFields.ClassName), DeviceDescription=tostring(ParsedFields.DeviceDescription),\nDeviceId=tostring(ParsedFields.DeviceId), VendorIds=tostring(ParsedFields.VendorIds), MachineId, ComputerName, EventTime\n| where ClassName contains \"drive\" or ClassName contains \"usb\"<\/pre>\n\n\n\n
Where to get more information and support<\/h2>\n\n\n\n
Windows Defender Advanced Threat Protection<\/em><\/p>\n\n\n\n
\n\n\n\nTalk to us<\/strong><\/h4>\n\n\n\n