Microsoft has an elite team of hackers who work hard to keep desktop computers running the Windows operating system safe.
But who are these hackers?
Where does Microsoft get them?
Well, one of the members of the elite Microsoft jailbroke various versions of Nintendo handhelds in his former hacker life.
There is another member of the same team who has several zero-day security exploits to show in his CV.
The third member, who recently signed on with the company, came to Microsoft just before the notorious and hugely damaging Shadow Brokers leak.
But that’s not all.
Microsoft has many more hackers with such works to show.
All of these hackers are actually members of the Elite Microsoft hacker team that goes by the name of Windows red team.
The Windows red team basically represents a group.
This group consists of hackers working at Microsoft who had previously spent their glory days finding various types of security holes in some of the world’s most widely-used software applications.
For the most part though, they targeted the one that almost all of us have used at one point or another:
These hackers “work” on Windows and perhaps one should be thankful to them for that.
Without such hackers working for companies such as Microsoft, there is a good chance that the majority of the Windows users would get toast everytime a new exploit came out.
Of course, Microsoft is not the only company that has a red team.
Many other technology companies have the same.
Sometimes technology companies have several of these hacking teams in order to hack-proof their software applications.
No matter how many groups a given company has, most of the time their purpose is the same.
That general purpose, which all hackers team share, is that of playing the critical role of a cyber attacker.
These red teams probe software releases old and new.
They look for specific vulnerabilities which another hacker could use to damage an individual or an organization.
Their hope is to catch security exploits and other bugs before any of the bad dudes have a chance of doing so before them.
A few of such hacker team specifically focus their energies on targets such as Windows.
Windows, for all its faults, is still pretty much ubiquitous.
Recent studies suggest that Windows can still boast almost 90 percent of the total market share for desktop and laptop computer machines worldwide.
While that’s great for the company, it isn’t such good news for organizations and individual users who want to protect themselves against hackers.
Whenever something in the Windows operating system breaks, there is a high chance that the whole world hears the resulting shatter.
How Did Microsoft Come Up With An Idea For A Team Of Hackers To Protect Users And Organizations?
Microsoft didn’t always have a Windows read team.
It only came into existence about four years ago.
The year 2014 represented the year when David Weston came up with the idea of trying another approach to product security.
Currently, he leads the entire crew as Windows principal security group manager.
He made the pitch of the new approach to security to Microsoft around the same time in 2014.
David wanted the company to change the way it thought and handled issues related to security of Microsoft’s premium and marquee product.
Recently Weston said that most of the company’s hardening of its premium Windows operating system, as far as the previous generation was concerned, went something like this,
- Keep waiting till a big cyber attack took place
- Alternatively, wait till someone came up with new information about a cutting-edge security technique.
- After that, spend a good bit of time in making efforts to fix the security threat.
According to Weston, such an approach was never an ideal situation when stakes were extremely high.
Because of this belief, Weston wanted to go where no one had gone before.
He wanted measures that went beyond the company’s historical mode.
A mode in which the company made use of community relationships as well as bug bounties to come up with a formulated defense.
Weston had grown tired of the old reactive crouch approach.
This is an approach where a company only responds to issues that are known.
Weston wanted Microsoft to discover new security issues rather than fix ones that were already presented.
This is what Weston called playing on the offense rather than defense.
Weston drew a lot of inspiration from his previous experience at events like Pwn20wn with white hat hackers.
But he got bored with the entire idea.
Because one had to wait until the end of the competition in order to start gleaning all the valuable information and insights into the Windows operating system’s security vulnerabilities.
So what did Weston do?
He began his conquest to put together a security team.
This security team would essentially do one thing each day of the whole year:
Conduct hacking contests that only focused on Windows security vulnerabilities.
Fast forward to today and the Windows red team consists of members such as Jordan Rabet.
Who is Jordan Rabet?
David took notice of Jordan Rabet when Rabet managed to show off his hacking skills by jailbreaking Nintendo 3DS with impressive skills.
Rabet did that in 2014.
And also posted a video of doing so on YouTube.
Currently, Rabet has kept himself busy with a focus on web browser security.
However, he has also played critical roles in the company’s response to security vulnerabilities such as Spectre.
As most of us know by now, the Spectre security vulnerability rocked the whole computer industry a little less than 12 months ago.
Another member who lives in Sweden, Viktor Brange, assisted the company to come up with a good response to Eternal Blue.
A tool that the NSA leaked which helped bad actors hack Windows.
How did he help Microsoft?
He spent time sifting through the whole of the company’s code base.
Then he ascertained all the various security issues and their severity to triage.
Another member, Adam Zabrocki had deep and significant experience with Linux.
He currently helps the company to tackle virtualization and kernel security issues.
Then there is Jasika Bawa.
Bawa assists the company to transform the whole team’s security findings into real-world product enhancements.
WIRED spoke with two other important members of the Windows red team as well.
But because of the sensitive nature of their work, they requested WIRED to maintain their anonymity.
As a whole group, members belonging to the Windows red team spent all their days doing one thing:
Attacking the Windows operating system.
Each year, the Windows red team work hard to develop zero-day security exploits in order to test the Windows blue team.
The Windows blue team is the defensive counterpart of the attacking Windows red team.
Moreover, whenever security emergencies such as EternalBlue and Spectre take place, the Windows red team plus the blue team are amongst the first group of people to get the emergency call from the company.
Windows Security And Code Red
As mentioned before as well, having red and blue teams to enhance the product’s security isn’t particularly a novel concept.
Of course, only companies that have the resources to afford such teams actually have them.
Companies who have a great awareness that hackers could target their products also have this tendency of using such red teams to enhance their product’s security.
If anything, some may find it surprising as to why Microsoft hadn’t managed to sic one on its premium operating system, Windows, for so long.
As a company, Microsoft, already had in place multiple red teams.
In fact, the company had them in place well before Weston came up with the idea.
But Weston built a Windows red team that specifically focused on the operating system’s operational security issues.
These issues involved solely unpatched computer machines.
He also plays the role of the chief scientist at Aexan, the application protection provider.
While talking to reporters he said that Windows still represented the single product that acted as the central repository of all exploits and malware.
In practical terms, most of the world’s businesses relied on Windows to do their work.
And that’s where hackers come into play.
Hackers don’t want to target systems they know won’t give them much in return.
So what do they do?
They target systems that people and organizations make use of.
That is the typical attacker mentality.
They want to get the biggest possible return on their well-thought and well-constructed investment.
What is that investment?
That investment is the code that the hacker writes and the exploits he makes use of to target different entities.
According to Aaron Lint, to such attackers, Windows represents the most obvious target.
That’s what people in red teams train on.
They train on that particular mindset.
Because of the fact that red teams have internally trained for such attacks, they have already paid all the dividends as far as Windows security issues are concerned.
Additionally, the Windows read team has not only helped the company deal with security vulnerabilities such as EternalBlue and Spectre, it has mitigated many other security issues.
Of course, the red team isn’t at the liberty of telling reporters what exactly did they do in any of the cases mentioned above.
But the thing readers need to realize is that such red teams have notched up some really significant wins over bad actors.
In fact, these red teams have not only helped Microsoft in keeping its product safe and secure but have also helped the entire computer industry.
So what’s on Weston’s list at the moment?
Right now, right at the top is a task which involves Weston’s team to shut down a phishing attack that goes by the name of Strontium.
Fancy Bear, a Russian hacking group, regularly takes the help of this phishing attack to harm individuals and organizations.
How does Weston’s team plan on doing that?
Well, first, they want to shore up Win32k.
What is Win32k?
It is a Windows kernel driver.
And because of its significance, hackers usually consider it as a punching bag.
Weston recently mentioned that in most web browser based cyber attacks, hackers first have this need of compromising, what the community calls, the web browser’s sandbox.
After doing so, they the hackers need an efficient way out of the browser’s sandbox.
Why do they want to get out of the sandbox?
Because only after hackers have successfully made their way out of the browser’s sandbox can they begin to do what they want to do.
And what do hackers want to do?
They want to have persistent access to the target machine.
They also want to steal sensitive information.
Weston also said that, the red team had great awareness about the fact that hackers considered the very old and rather large kernel surface as the absolute ideal place to start their operations.
Weston had his red team attack that kernel surface but only through the eyes of the team’s adversary (the actual potential hackers).
While doing so, the red team discovered previously undisclosed hacking techniques that hackers could use to gain a massive amount of leverage in various types of cyber attacks.
What did that mean for the company?
For Microsoft, it meant that the company gained the ability to ship security updates that effectively blocked the same kind of hacking efforts in its Windows 10 Anniversary Edition.
Microsoft shipped out the update in fall of 2016.
About six months later, Microsoft released the Windows 10 Creators Update.
This update took further concrete steps in order to detect other previously hidden kernel security exploits.
There is little doubt about the fact that, the red team has given Microsoft some important wins.
The case in point is the example that was mentioned above.
Some argue that had Microsoft continued to rely on more traditional and conventional methods and techniques of vulnerability-spotting, the company would not have managed to come up with security patches so quickly.
According to Lint (who works at Arxan), red teams tend to help companies find security issues that are slightly beyond the pale when one is talking about security vulnerabilities.
In other words, red teams help discover security flaws which are not immediately apparent.
They also help in vulnerabilities that aren’t directly findable or searchable from standard vulnerability scanning methods and techniques.
He also said that after everything is said and done, one could only scan for security-related problems that one already knew about.
Lint also mentioned that red teams enabled companies such as Microsoft to hunt down the security vulnerabilities that the company itself did not know about.
A Race Against Time
Needless to say that members of various red teams don’t have an infinite amount of time to come up with security patches for various undiscovered vulnerabilities.
But they also don’t have to fill a specific given quota.
What members of red teams usually do so that they prioritize their targets.
In order to do that efficiently, the base their next target on techniques and methods they have observed hackers exploiting out in the wild.
They also look for features which they feel are, on a relative basis, sensitive and/or untested.
Rabet recently said that the red team wanted to emulate exactly the kind of methods and techniques that they have seen hackers use in the wild.
Not only that, according to Rabet, once the team has recognized those techniques, they want to take it up a notch by tackling higher level security vulnerabilities.
Moreover, Rabet added, the red team continuously thinks about things that hackers have used in the past.
Then the team asks itself where are these hackers likely to go at the launch of their next attack.
After that, the red team tries to go in the same direction in order to come up with a security patch even before the hacker has a chance of exploiting that vulnerability.
With that said, since members of the red team do not have an infinite amount of time and resources on their hands, they have to exercise selectivity.
According to Zabrocki, the red team will always have lots of bugs on its menu.
And obviously, the red team can’t do all the work and fix up all the security bugs in the world.
Zabrocki also said that that was especially true with the Windows red team because Windows represented a very big and complex product.
Not only that, Windows was always evolving.
Therefore, it makes more sense for the team to focus on solutions which are broad in nature.
These solutions include the previously mentioned kernel anomaly detection.
That is better for red tams because solutions to such problems can also help block a whole range of other woes.
The other thing that many readers would not realize is that sometimes the objective of the red team is to NOT come up with a complete solution to a given problem.
Because each and every time members of the Windows red and blue team start their work on a given project, they also have to deal with the clock.
Weston recently mentioned that the entire goal of the clock is to simply give the Windows red team an opportunity to carry out an objective cost analysis regarding the effort the team would have to make in order to hack a given problem.
In other words, the team has to think about the start-to-finish median value on each and every one of its attacks.
That helps the team put an economic tag on a, sort of, compromise.
The team has the option of driving up that economic tag over a period of time.
That, according to Weston, is a good and objective metric that the team can make use of.
Using such cost analysis, the team can know if a hacker is likely to pursue a particular kind of security exploit.
The higher the cost and the amount of time required for a particular hack execution, the less likely it is for a hacker to try it.
Weston does reward his Windows red team with computer-shaped trophies when they managed to find a good exploit.