Microsoft Sharing Threat Intelligence Data With Incident Responders


The Microsoft Active Protection Program, designed to give antivirus vendors and security appliance makers a head start on developing signatures for pending patch releases, is being expanded to provide threat intelligence data to incident responders.

Microsoft unveiled its updated MAPP program on Monday, embracing two threat intelligence sharing frameworks to share threat indicators with incident responders. Malicious URLs, file hashes and other relevant information on new threats will be made available via the Mitre Structured Threat Information Expression and the Trusted Automated eXchange of Indicator Information specifications. Both frameworks are being tested by computer emergency response teams at private firms and public agencies globally.

"Arming more defenders against targeted attacks is a key part of our overall strategy," said Jerry Bryant, senior security strategist at Microsoft Trustworthy Computing in a blog entry explaining the changes. "Regardless of format, we want to serve customers by facilitating the flow of threat intelligence to organizations who can capitalize on it."

[Related: Top 10 Malware Threats To Microsoft PCs]

The two frameworks Microsoft is embracing are used by financial firms and other large organizations as well as the United States Computer Emergency Response Team (US-CERT), security experts told CRN. Sean Barnum, software assurance principal at Mitre, presented the STIX framework to security researchers at the Black Hat 2013 security conference and said he hoped it would be adopted broadly. The threat information is not only used by responders, but can be fed into automated systems to provide more relevant threat detection capabilities for threat analysts, Barnum said.

Microsoft also introduced MAPP Scanner for incident responders. The cloud-based vulnerability scanning service does static and dynamic analysis against Office documents, PDF files, Flash movies and suspect URLs. The scanner can determine whether cybercriminals are using the files as an active exploit, attempting to target a Windows or Office vulnerability.

The tool spins up a virtual machine to test the files in a Windows environment, said Bryant, and can detect zero-day vulnerabilities and improve efficiency of responders investigating an incident.

"Making this technology available to partners who are likely to be subjected to targeted attacks and those who work with them to investigate and remediate security incidents increases the likelihood of new attacks and attack vectors being discovered," Bryant said. "It also aids in the efficiency of investigations, which speeds up the process of identifying and deploying the appropriate protections."

Microsoft introduced the MAPP program in 2008. Security firms that have a long track record and meet other qualifications will be given vulnerability data up to three days before a scheduled patch release as part of the updated MAPP Validate program, Microsoft said.

The program also will allow qualified security vendors to give feedback on detection guidance before distributing it to the broader MAPP community. Microsoft, Redmond, Wash., said that could improve the quality of patch releases and speed up the signature-building process.

PUBLISHED JULY 30, 2013