Defend against zero-day exploits with Microsoft Defender Application Guard

Zero-day security vulnerabilities—known to hackers, but unknown to software creators, security researchers, and the public—are like gold to attackers. With zero-days, or even zero-hours, developers have no time to patch the code, giving hackers enough access and time to explore and map internal networks, exfiltrate valuable data, and find other attack vectors.

Zero-days has become a great profit engine for hackers due to the imperil it poses to the public, organizations, and government. These vulnerabilities are often sold on the dark web for thousands of dollars, fueling nation-state and ransomware attacks and making the cybercrime business even more appealing and profitable to attackers.

Social engineering unlocks doors to zero-day attacks

With zero-day being the new constant, organizations must defend and protect themselves, paying special attention to the user applications as most of the zero-day vulnerabilities out there fall within this environment.

Attackers leverage social engineering tactics to gain users’ trust, deceive them, and influence their actions—from opening a malicious link attached to an email to visiting a compromised website. The malicious code executes when the application opens the weaponized content, exploiting vulnerabilities and downloading malware on the endpoint.

This combination of sophisticated social engineering attacks is a lethal weapon that leverages “the art of deception” combined with human-operated ransomware, allowing attackers to stay undercover while exploiting a system’s vulnerabilities. It creates the perfect scenario for a zero-day attack, allowing attackers to expertly spread and compromise more devices than ever before.

App isolation helps defend against zero-day exploits

In such a challenging environment, where application and web browser scans and filters on their own may not be able to stop attackers from tricking users and preventing malicious code to execute, isolation technology is the way forward to defend against zero-day exploits.

Based on the Zero Trust principles of explicit verification, least privilege access, and assume breach, isolation treats any application and browsing session as untrustworthy by default, adding multiple roadblocks for attackers attempting to get into users’ environments.

Isolation is fully embedded into Microsoft Windows chip to cloud security posture, enabling applications to apply and run in state-of-the-art virtualization technology, such as Microsoft Defender Application Guard (Application Guard), to significantly reduce the blast radius of compatible compromised applications.

With Application Guard, websites and Office files run in an isolated hypervisor (Hyper-V) based container, ensuring that anything that happens within the container remains isolated from the desktop operating system. This means that malicious code originates from a document or website which is running inside the container, the desktop remains intact, and the blast radius of the infection remains confined within the container.

This is the same virtualization-based security (VBS) technology that also powers other Windows security features like Credential Guard and Hypervisor Code Integrity (HVCI).

Presenting Hardware Isolation of Microsoft Edge and Microsoft Office products. Workflow being displayed at the bottom with Device Hardware being the focal point, flowing through Kernel, into the Windows platform before reaching Microsoft Office, Microsoft Edge, and Apps.

Today, the power of Application Guard local isolation is natively built into Microsoft Edge and Microsoft Office, providing seamless protection against malicious Word, PowerPoint, and Excel files and also malicious websites. We have extended this protection to Google Chrome and Mozilla Firefox via the Application Guard plugin, which allows untrusted websites to be opened in isolation using Microsoft Edge.

Application Guard delivers a great first line of defense for organizations—when users run an app or open email attachments and click on a link or an URL, if any of these have malware, it will be contained in the sandbox environment and won’t be able to access the desktop, its systems, or data. Additionally, every malicious attack contained by Application Guard helps inform and improve global threat intelligence, enhancing overall detection capabilities and protecting not only your organization but also millions of other Microsoft customers across the world.

Application Guard for Zero Trust

Isolation is an important part of any organization’s strategy in deploying Zero Trust and defending your system from being compromised without jeopardizing performance and productivity.

Based on the following principles of Zero Trust, isolation technology in Windows forms the backbone of Application Guard providing stronger protection and greater assurance to your users while empowering them to click anywhere.

Verify explicitly: Admins can also configure device health attestation policies in their organization using Microsoft Intune. Together with conditional access, these policies will ensure and attest that Windows boots with secure boot enabled—ensuring that the hypervisor booted correctly, and the App Guard container is secure.
Least privilege: The hardware isolated container used by Application Guard implements a secure kernel and user space and does not allow any access to the user’s desktop or other trusted resources in an enterprise.
Assume breach: For all purposes, this container is considered non-trustworthy and is used to run untrusted content. There is no user data or any identity present inside the container. It is assumed that the untrusted content may contain malicious code.

Learn more

For more information, check out:

The Application Guard overview
Zero Trust

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defend against zero-day exploits with Microsoft Defender Application Guard appeared first on Microsoft Security Blog.

Read more: