Microsoft’s pre-patch information sharing on vulnerabilities in its software has been expanded to include incident responders dealing with advanced targeted attacks.
The Redmond, Washington-based software vendor today announced a major expansion of the five-year-old Microsoft Active Protections Program (MAPP), which is aimed at reducing the window of exposure to hacker attacks.
In the past, MAPP shared vulnerability data to give anti-malware, intrusion prevention/detection and corporate network security vendors a head-start to add signatures and filters to protect against Microsoft software vulnerabilities. That part of the program will remain, but Microsoft has now added two new programs specifically aimed at the explosion of APTs (advanced persistent threats) against global governments and businesses.
According to Microsoft Senior Security Strategist Jerry Bryant, the new MAPP for Responders will provide “threat indicators” to qualified security response teams. These will include malicious URLs, file hashes, incident data and relevant detection guidance.
“The information we plan to share with response partners is focused more on threat intelligence than specifically on vulnerabilities. Where these two programs come together is around incident response. Arming more defenders against targeted attacks is a key part of our overall strategy,” Bryant explained.
Microsoft plans to to support Mitre’s STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications to ensure automation and structure.
Bryant said the surge in targeted attacks as one of the primary threats to enterprises, governments and other entities pushed Microsoft to expand the MAPP program. “Incident responders, including response companies, CSIRTs, ISACs, and security vendors, represent the front lines in the fight to detect, respond, and remediate these attacks. Through this new program, MAPP for Responders, we are working to build new partnerships and community collaborations that will enable strategic knowledge exchange,” he added.
Separately, Microsoft launched a new MAPP Scanner tool to help pinpoint if certain files or documents are attempting to exploit security vulnerabilities.
MAPP Scanner, currently in a closed pilot program is described as a cloud-based service that can be used to scan Office documents, PDF files, Flash movies, and suspect URLs, to determine if they are attempting to exploit a vulnerability. MAPP Scanner performs both static and active analysis to determine if files are attempting to exploit a vulnerability. It spins up virtual machines for every supported version of Windows and opens content in supported versions of the appropriate application, Bryant explained.
Bryant also said MAPP Scanner can help find a known vulnerability and return the CVEs and affected platforms for that issue, while also flagging suspicious activity not associated with a known vulnerability for deeper analysis. “MAPP Scanner is extremely effective in identifying previously unknown vulnerabilities while at the same time dramatically improving the ability and efficiency of responders investigating an incident,” he added.
MAPP Scanner is also aimed at Microsoft partners who are likely to be subjected to targeted attacks.